CVE-2016-10732 in ProjectSend
Summary
by MITRE
ProjectSend (formerly cFTP) r582 allows authentication bypass via a direct request for users.php, home.php, edit-file.php?file_id=1, or process-zip-download.php, or add_user_form_* parameters to users-add.php.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 04/07/2020
ProjectSend r582 contains a critical authentication bypass vulnerability that allows unauthenticated attackers to access protected administrative functions through direct requests to specific endpoints. This vulnerability stems from insufficient access control validation within the application's authorization mechanisms, enabling malicious actors to bypass the standard login process and gain unauthorized access to sensitive administrative features. The flaw specifically affects endpoints including users.php, home.php, edit-file.php with file_id parameter, process-zip-download.php, and add_user_form_* parameters within users-add.php, creating multiple attack vectors for privilege escalation.
The technical implementation of this vulnerability demonstrates a fundamental flaw in the application's security architecture where proper session validation and user authentication checks are either missing or improperly enforced. According to CWE-285, this represents an improper authorization issue where the system fails to verify that the requesting user has appropriate privileges before granting access to protected resources. The vulnerability operates by allowing direct access to administrative pages without requiring valid authentication tokens or session management verification, effectively creating a backdoor access path that bypasses the normal authentication workflow.
The operational impact of this vulnerability is severe as it provides attackers with complete administrative control over the ProjectSend instance. An unauthenticated attacker can leverage this flaw to manipulate user accounts, modify file permissions, access sensitive data, and potentially establish persistent access to the system. This vulnerability directly maps to several ATT&CK techniques including T1078 for valid accounts and T1566 for credential harvesting, as it allows adversaries to gain unauthorized access to administrative functions without proper credentials. The compromised system may serve as a pivot point for further attacks within the network infrastructure.
Mitigation strategies should focus on implementing proper access control validation for all administrative endpoints and ensuring that session management is robustly enforced throughout the application. Organizations should immediately apply the vendor-provided security patches and implement additional controls such as rate limiting on authentication endpoints and monitoring for suspicious direct requests to administrative pages. Network segmentation and web application firewalls can provide additional layers of protection by blocking unauthorized access attempts to sensitive endpoints. Regular security audits and penetration testing should verify that all authentication mechanisms are properly functioning and that no similar bypass vulnerabilities exist within the application's codebase.