Ethical Hacking News
Cyber Security Experts Warn of Critical Flaw in Open-Source File-Sharing Application ProjectSend
A critical security flaw has been discovered in the open-source file-sharing application ProjectSend, which may be actively being exploited by attackers. Researchers have warned that the vulnerability, known as CVE-2024-11680, could allow remote and unauthenticated attackers to gain unauthorized access to the application's configuration, create accounts, upload webshells, and embed malicious JavaScript.
Cyber security experts have identified a critical security flaw in ProjectSend, allowing remote and unauthenticated attackers to exploit the application's configuration. The vulnerability (CVE-2024-11680) has been rated at a high severity of 9.8 on the CVSS scale, indicating it is considered extremely serious. Attackers can create accounts, upload webshells, and embed malicious JavaScript using this flaw. A significant proportion of ProjectSend instances (55%) are using outdated version r1605, leaving them vulnerable to exploitation. Experts urge users to update their ProjectSend installations to the latest version (r1750) to prevent potential security breaches.
Cyber security experts have sounded the alarm over a critical security flaw discovered in the open-source file-sharing application ProjectSend. The vulnerability, known as CVE-2024-11680, has been rated at a high severity of 9.8 on the Common Vulnerability Scoring System (CVSS) scale, indicating that it is considered to be extremely serious.
According to researchers, the flaw in ProjectSend allows remote and unauthenticated attackers to exploit the application's configuration by sending crafted HTTP requests. This could enable attackers to create accounts, upload webshells, and embed malicious JavaScript, potentially leading to a range of security issues including data breaches and malware infections.
The vulnerability was first identified by VulnCheck researchers, who noticed that public-facing ProjectSend servers had started to change their landing page titles to long, random-ish strings. These changes were found to be consistent with the behavior of exploit tools such as Nuclei and Metasploit, which are used to test for vulnerabilities in software applications.
The patch for this vulnerability was made publicly available on May 16, 2023, but researchers have warned that multiple exploits have been published by research teams since then. These exploits include code released by Project Discovery and Rapid7, and have been actively being used by threat actors to target vulnerable versions of the application.
Experts believe that the threat actors are using a combination of techniques to exploit the vulnerability, including enabling user registration, which allows attackers to gain post-authentication access to the application's configuration. This enables attackers to alter the landing page to prompt account creation, making it easier for them to install webshells and embed malicious JavaScript.
Researchers have also found that attackers are storing their uploaded webshells in a predictable location (upload/files/), with filenames based on upload timestamps, username hashes, and the original file name. This makes it easier for defenders to identify exploitation attempts by analyzing server access logs and checking for direct access to this location.
According to Censys, an index of GitHub stars, ProjectSend has over 1,500 GitHub stars and more than 4,000 instances are exposed online. However, only around 1% of these instances are using the patched version (r1750), while 55% are using version r1605, released in October 2022.
The researchers point out that this suggests that a significant proportion of ProjectSend instances are not being updated with the latest security patch, leaving them vulnerable to exploitation. They believe that the lack of patch adoption is due to various factors, including the complexity of updating the application and the need for users to actively seek out updates.
Experts have urged users to take immediate action to update their ProjectSend installations to the latest version (r1750) to prevent potential security breaches. Additionally, defenders are advised to monitor server access logs and check for direct access to the upload/files/ location to identify potential exploitation attempts.
In conclusion, the critical flaw in ProjectSend highlights the importance of regular software updates and patching to prevent security vulnerabilities. Cyber security experts have sounded the alarm over this issue, urging users to take action to protect themselves from potential attacks.
Related Information:
https://securityaffairs.com/171494/hacking/projectsend-critical-flaw-actively-exploited.html
Published: Thu Nov 28 02:53:51 2024 by llama3.2 3B Q4_K_M
