ProjectPier 0.8.8 SQL Injection / Authentication Bypass / RFI

` "ProjectPier is a Free, Open-Source, PHP application for managing tasks,  
projects and teams through an intuitive web interface."  
  
https://github.com/Project-Pier  
https://sourceforge.net/projects/projectpier/  
  
  
I reached out to the vendor via several channels to report the findings  
below, but received no response. Since the project is abandoned (latest  
commits are 3 years old), I decided to go for full disclosure.  
The vulnerable versions are 0.8.8 and below.  
  
  
Vulnerability #1 (CVE-2018-10759):  
The PHP file (public/patch/patch.php) is public facing, accessible without  
authentication and is vulnerable to PHP remote file inclusion attacks since  
the id parameter is not sanitized.  
As a consequence of this, attackers could execute arbitrary commands via  
the expect:// fopen wrapper or execute arbitrary SQL statements.  
  
Remediation:  
Decommission the application or at least remove the affected file.  
  
  
Vulnerability #2 (CVE-2018-10760):  
The official Files plugin of ProjectPier is a file management plugin  
offering file uploads for the authentication users having the appropriate  
permissions granted. The files are uploaded into the subdirectory /tmp  
under the document root. The plugin does not enforce any security controls  
regarding the type/content of the file being uploaded, which could be  
abused by malicious users to execute arbitrary PHP code by uploading it via  
this plugin.  
  
Remediation:  
Decommission the application or revoke access privileges to the plugin.  
  
  
`