ProjectPier versions 0.8.8 and below suffer from remote file inclusion, authentication bypass, remote shell upload, and remote SQL injection vulnerabilities.
981d011a590304ccd6de6e3510500b73 "ProjectPier is a Free, Open-Source, PHP application for managing tasks,
projects and teams through an intuitive web interface."
https://github.com/Project-Pier
https://sourceforge.net/projects/projectpier/
I reached out to the vendor via several channels to report the findings
below, but received no response. Since the project is abandoned (latest
commits are 3 years old), I decided to go for full disclosure.
The vulnerable versions are 0.8.8 and below.
Vulnerability #1 (CVE-2018-10759):
The PHP file (public/patch/patch.php) is public facing, accessible without
authentication and is vulnerable to PHP remote file inclusion attacks since
the id parameter is not sanitized.
As a consequence of this, attackers could execute arbitrary commands via
the expect:// fopen wrapper or execute arbitrary SQL statements.
Remediation:
Decommission the application or at least remove the affected file.
Vulnerability #2 (CVE-2018-10760):
The official Files plugin of ProjectPier is a file management plugin
offering file uploads for the authentication users having the appropriate
permissions granted. The files are uploaded into the subdirectory /tmp
under the document root. The plugin does not enforce any security controls
regarding the type/content of the file being uploaded, which could be
abused by malicious users to execute arbitrary PHP code by uploading it via
this plugin.
Remediation:
Decommission the application or revoke access privileges to the plugin.