search

pluck-cms / pluck

Central repo for pluck cms
http://www.pluck-cms.org
54 stars 37 forks source link

Pluck-4.7.16dev1 admin background exists a remote command execution vulnerability when uploading files #106

Closed debug601 closed 2 years ago

debug601 commented 2 years ago

I uploaded any file in the "manage Files" section, where I uploaded "webshell.zip". image Find the unzipped file in the upload folder image image

The content in the 2.php file is "<? php phpinfo ();? >"

image url: 192.168.1.128/pluck4.7.16dev1/data/modules/webshell/2.php image

BSteelooper commented 2 years ago

I believe this is in the install modules section and not in the manage files section.

A module is to add functionality to the website, and needs a password to do. When you have the password, you can upload anything, and than utilise this uploaded content. this is impossible to fix, since this is the option to add functionality. for instance the inplace updater is an module which downloads and extracts files, an other module might do the same, so why restrict this, and restrict it to what.

Since the password is needed to exploit this, and with the password lost everything is up for grabs we won't fix this.