search

pluck-cms / pluck

Central repo for pluck cms
http://www.pluck-cms.org
54 stars 37 forks source link

Pluck 4.7.15 - Zip Slip Vulnerability #100

Closed naiagoesawoo closed 3 years ago

naiagoesawoo commented 3 years ago

Issue Summary Pluck's module and theme installers are vulnerable to directory traversal (via zip slip).

Detailed Description It is possible to upload a malicious zip file in order to traverse directories outside of the intended environment, potentially allowing arbitrary code execution which will run with the permissions of the user assigned to the webserver.

Reproduction Steps

  1. Using the evilarc tool, create a zip archive containing a PHP file with a depth of 2 (python evilarch.py shell.php -d 2 -f wolf.zip)
  2. Visit <pluck_domain>/admin.php?action=themeinstalland upload the malicious wolf.zip you created.
  3. Visit <pluck_domain>/shell.php and you now have a PHP shell.

Impact This vulnerability makes remote code execution under the privileges of the user running the webserver application possible.

BSteelooper commented 3 years ago

Could you perform a retest with the latest dev version?

naiagoesawoo commented 3 years ago

I confirm the Zip Slip vulnerability has been fixed.