| タイトル | Projeqtor 12.0.2 Improper Input Validation |
|---|
| 説明 | A critical vulnerability in Projeqtor v12.0.2 allows authenticated users to upload malicious files through the /tool/saveAttachment.php endpoint, leading to arbitrary code execution. The application does not adequately validate or sanitize uploaded file types, permitting attackers to upload executable PHP files with extensions such as .phar or .php. Normally, Projeqtor appends .projeqtor.txt to .phar and .php filenames (e.g., miri.phar.projeqtor.txt), but this can be bypassed.
On Windows systems, attackers can exploit a filesystem quirk by specifying a filename like miri.php. (with a trailing dot). Windows silently strips the trailing dot when writing to the filesystem, resulting in a file named miri.php that can execute PHP code. This behavior is a deliberate strategy for bypassing extension restrictions, as the application may not flag the trailing dot as suspicious. Separately, using a semicolon in filenames (e.g., miri.phar;) is effective specifically for .phar files, potentially exploiting how the application or server parses extensions. In the provided proof-of-concept (PoC), a .phar file with the content demonstrates this by executing the dir command on a Windows server. |
|---|
| ソース | ⚠️ https://github.com/deadmilkman/cve-reports/blob/main/01-projeqtor-rce/readme.md |
|---|
| ユーザー | deadmilkman (UID 82903) |
|---|
| 送信 | 2025年03月26日 14:48 (1 年 ago) |
|---|
| モデレーション | 2025年04月03日 10:05 (8 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 303128 [Projeqtor 迄 12.0.2 /tool/saveAttachment.php attachmentFiles 特権昇格] |
|---|
| ポイント | 20 |
|---|