Ethical Hacking News
Hackers are exploiting a critical ProjectSend vulnerability, leaving thousands of exposed servers open to attack. With 99% of instances still running a vulnerable version, it's time to upgrade your ProjectSend application to patch this security bug.
Hackers have exploited a critical authentication bypass flaw in ProjectSend, allowing remote access to thousands of exposed servers. The vulnerability (CVE-2024-11680) was discovered in May 2023 but not patched until November 27, 2024. A staggering 99% of ProjectSend instances are still running a vulnerable version. Attackers have used the flaw to gain unauthorized access, plant webshells, and deploy malicious code. Upgrading to ProjectSend version r1750 is critical to prevent attacks, with estimates suggesting around 4,000 public-facing instances are online.
Hackers have been exploiting a critical authentication bypass flaw in ProjectSend, a popular open-source file-sharing web application, to gain remote access to thousands of exposed servers. The vulnerability, tracked as CVE-2024-11680, allows attackers to send specially crafted HTTP requests to the 'options.php' page, enabling them to alter the application's configuration and create rogue accounts.
The ProjectSend flaw was discovered in May 2023, but it wasn't until November 27, 2024, that a comprehensive report highlighting the severity of the issue was released. According to VulnCheck, which has been detecting active exploitation of the vulnerability, the patching pace for this critical bug has been abysmal, with an astonishing 99% of ProjectSend instances still running a vulnerable version.
The impact of this vulnerability extends beyond just testing, as attackers have successfully exploited it to gain unauthorized access, plant webshells, and deploy malicious JavaScript code. The attackers' modus operandi involves sending HTTP requests that alter the 'sitename' in the configuration file, which effectively changes the application's title. However, unlike legitimate users who would only see a change in the server's domain name, hackers are able to exploit this vulnerability to embed long and random strings in the URL.
The webshells used by attackers contain files named after POSIX timestamps, username SHA1 hashes, and original file names/versions. Accessing these files directly through the web server indicates active exploitation of the ProjectSend flaw. The researchers at VulnCheck caution that upgrading to ProjectSend version r1750 as soon as possible is critical because attacks are likely already widespread.
The severity of this vulnerability highlights the importance of keeping software up-to-date, especially for open-source applications like ProjectSend, which relies on user trust and self-hosted solutions. According to Censys data, there are roughly 4,000 public-facing ProjectSend instances online, most of which are vulnerable to this critical bug.
ProjectSend is an open-source file-sharing web application designed to facilitate secure and private file transfers between a server administrator and clients. It has gained popularity among organizations that prefer self-hosted solutions over third-party services such as Google Drive or Dropbox. The widespread adoption of ProjectSend by companies emphasizes the need for vigilance in maintaining software security.
The recent case highlights the importance of proactive security measures, including regular software updates and monitoring vulnerability reports. As a result, users should prioritize patching this critical bug without delay to prevent potential exploitation by malicious actors.
In conclusion, hackers have successfully exploited a ProjectSend authentication bypass flaw to gain remote access to thousands of servers. The severity of this vulnerability underscores the need for organizations and individuals using ProjectSend to ensure that their software is up-to-date and running the latest version.
Related Information:
https://www.bleepingcomputer.com/news/security/hackers-exploit-projectsend-flaw-to-backdoor-exposed-servers/
https://thehackernews.com/2024/11/critical-flaw-in-projectsend-under.html
https://nvd.nist.gov/vuln/detail/CVE-2024-11680
https://www.cvedetails.com/cve/CVE-2024-11680/
Published: Wed Nov 27 16:26:52 2024 by llama3.2 3B Q4_K_M
