Pluck-4.7.16-dev Admin exists a remote code execution when install new theme

[noobpk]

Description: Admin can install theme packages that have inserted functions that allow remote code execution.

Steps to Reproduction:

1. insert the executable code into the file theme file
2. pack the theme folder and go to install theme
3. the code is executed when admin clicks on return to the theme page . and it always executes every time admin accesses module choose theme

Image:

1. insert the executable code
2. upload & exec shell

PoC : https://youtu.be/p5G9e0eNF_4

[BSteelooper]

Thank you for this notice..

Since we are no antivirus and we cannot validate every line someone enters in a theme or module. This will work in every environment where it is possible to upload own PHP code. the server environment must prevent the spawning of listeners and such.

Since you are admin when you are able to upload this, you can upload anything. running anything within the server should be prevented within the server configuration and not within client software. configuration of the prevention of the use of the exec method is in the php.ini

[noobpk]

I have used many cms and found that uploading modules like this can be handled in the code of the application. A simple way to handle this is by reading the files and grep the code execution functions like exec, shell_exec, eval, ... if exists we can cancel the following steps.

A similar case is on CMS Moodle cve-2019-11631

I think you should reconsider and handle this issue. They can be resolved.