ProjectPier 0.8.8 SQL Injection / Authentication Bypass / RFI

ProjectPier versions 0.8.8 and below suffer from remote file inclusion, authentication bypass, remote shell upload, and remote SQL injection vulnerabilities.

MD5 | 981d011a590304ccd6de6e3510500b73

 "ProjectPier is a Free, Open-Source, PHP application for managing tasks,
projects and teams through an intuitive web interface."

I reached out to the vendor via several channels to report the findings
below, but received no response. Since the project is abandoned (latest
commits are 3 years old), I decided to go for full disclosure.
The vulnerable versions are 0.8.8 and below.

Vulnerability #1 (CVE-2018-10759):
The PHP file (public/patch/patch.php) is public facing, accessible without
authentication and is vulnerable to PHP remote file inclusion attacks since
the id parameter is not sanitized.
As a consequence of this, attackers could execute arbitrary commands via
the expect:// fopen wrapper or execute arbitrary SQL statements.

Decommission the application or at least remove the affected file.

Vulnerability #2 (CVE-2018-10760):
The official Files plugin of ProjectPier is a file management plugin
offering file uploads for the authentication users having the appropriate
permissions granted. The files are uploaded into the subdirectory /tmp
under the document root. The plugin does not enforce any security controls
regarding the type/content of the file being uploaded, which could be
abused by malicious users to execute arbitrary PHP code by uploading it via
this plugin.

Decommission the application or revoke access privileges to the plugin.

Related Posts