| Titel | Projeqtor 12.0.2 Improper Input Validation |
|---|
| Beschreibung | A critical vulnerability in Projeqtor v12.0.2 allows authenticated users to upload malicious files through the /tool/saveAttachment.php endpoint, leading to arbitrary code execution. The application does not adequately validate or sanitize uploaded file types, permitting attackers to upload executable PHP files with extensions such as .phar or .php. Normally, Projeqtor appends .projeqtor.txt to .phar and .php filenames (e.g., miri.phar.projeqtor.txt), but this can be bypassed.
On Windows systems, attackers can exploit a filesystem quirk by specifying a filename like miri.php. (with a trailing dot). Windows silently strips the trailing dot when writing to the filesystem, resulting in a file named miri.php that can execute PHP code. This behavior is a deliberate strategy for bypassing extension restrictions, as the application may not flag the trailing dot as suspicious. Separately, using a semicolon in filenames (e.g., miri.phar;) is effective specifically for .phar files, potentially exploiting how the application or server parses extensions. In the provided proof-of-concept (PoC), a .phar file with the content demonstrates this by executing the dir command on a Windows server. |
|---|
| Quelle | ⚠️ https://github.com/deadmilkman/cve-reports/blob/main/01-projeqtor-rce/readme.md |
|---|
| Benutzer | deadmilkman (UID 82903) |
|---|
| Einreichung | 26.03.2025 14:48 (vor 1 Jahr) |
|---|
| Moderieren | 03.04.2025 10:05 (8 days later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 303128 [Projeqtor bis 12.0.2 /tool/saveAttachment.php attachmentFiles erweiterte Rechte] |
|---|
| Punkte | 20 |
|---|