[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAPWzz4wpy8CYPod+AFLgbuCZkCAm-Swv5mue2cTBM+mhLd5ACw@mail.gmail.com>
Date: Sun, 13 May 2018 20:08:04 +0200
From: Imre Rad <radimre83@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] CVE-2018-10759/CVE-2018-10760: Project Pier 0.8.8
vulnerabilities
"ProjectPier is a Free, Open-Source, PHP application for managing tasks,
projects and teams through an intuitive web interface."
https://github.com/Project-Pier
https://sourceforge.net/projects/projectpier/
I reached out to the vendor via several channels to report the findings
below, but received no response. Since the project is abandoned (latest
commits are 3 years old), I decided to go for full disclosure.
The vulnerable versions are 0.8.8 and below.
Vulnerability #1 (CVE-2018-10759):
The PHP file (public/patch/patch.php) is public facing, accessible without
authentication and is vulnerable to PHP remote file inclusion attacks since
the id parameter is not sanitized.
As a consequence of this, attackers could execute arbitrary commands via
the expect:// fopen wrapper or execute arbitrary SQL statements.
Remediation:
Decommission the application or at least remove the affected file.
Vulnerability #2 (CVE-2018-10760):
The official Files plugin of ProjectPier is a file management plugin
offering file uploads for the authentication users having the appropriate
permissions granted. The files are uploaded into the subdirectory /tmp
under the document root. The plugin does not enforce any security controls
regarding the type/content of the file being uploaded, which could be
abused by malicious users to execute arbitrary PHP code by uploading it via
this plugin.
Remediation:
Decommission the application or revoke access privileges to the plugin.
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists