lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Date: Sun, 13 May 2018 20:08:04 +0200
From: Imre Rad <radimre83@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] CVE-2018-10759/CVE-2018-10760: Project Pier 0.8.8
	vulnerabilities

 "ProjectPier is a Free, Open-Source, PHP application for managing tasks,
projects and teams through an intuitive web interface."

https://github.com/Project-Pier
https://sourceforge.net/projects/projectpier/


I reached out to the vendor via several channels to report the findings
below, but received no response. Since the project is abandoned (latest
commits are 3 years old), I decided to go for full disclosure.
The vulnerable versions are 0.8.8 and below.


Vulnerability #1 (CVE-2018-10759):
The PHP file (public/patch/patch.php) is public facing, accessible without
authentication and is vulnerable to PHP remote file inclusion attacks since
the id parameter is not sanitized.
As a consequence of this, attackers could execute arbitrary commands via
the expect:// fopen wrapper or execute arbitrary SQL statements.

Remediation:
Decommission the application or at least remove the affected file.


Vulnerability #2 (CVE-2018-10760):
The official Files plugin of ProjectPier is a file management plugin
offering file uploads for the authentication users having the appropriate
permissions granted. The files are uploaded into the subdirectory /tmp
under the document root. The plugin does not enforce any security controls
regarding the type/content of the file being uploaded, which could be
abused by malicious users to execute arbitrary PHP code by uploading it via
this plugin.

Remediation:
Decommission the application or revoke access privileges to the plugin.

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists