There is arbitrary code execution and file containing in the module installation of 4.7.16-dev2

[debug601]

php5.2.17 1.Arbitrary code execution I uploaded webshell.zip in the module installation.

He will automatically extract it to "D:\ phpStudy\ PHPTutorial\ WWW\ pluck-4.7.16dev2\ data\ modules" Visit 192.168.1.128/pluck-4.7.16dev2/data/modules/webshell/webshell.php

2.The file contains vulnerabilities

After uploading the webshell.zip file in the module installation, I visit admin.php and he will automatically include the / data/modules/webshell/webshell.php file I uploaded.

[BSteelooper]

Duplicate for #106

I believe this is in the install modules section and not in the manage files section.

A module is to add functionality to the website, and needs a password to do. When you have the password, you can upload anything, and than utilise this uploaded content. this is impossible to fix, since this is the option to add functionality. for instance the inplace updater is an module which downloads and extracts files, an other module might do the same, so why restrict this, and restrict it to what.

Since the password is needed to exploit this, and with the password lost everything is up for grabs we won't fix this.

[debug601]

Their versions are different.，And this loophole also exists in continuously updated versions.

[BSteelooper]

It works as designed and is not a loophole. If it exists in the last version and we tell you it is as designed you don't have to make issues for all versions.. they are duplicates at that moment.

Ps. minimal supported php version is 7.0.

[debug601]

If it is the php7.0 version, there will be the same problem because you did not set the rule in "\ data\ modules\ .htaccess"

[debug601]

The vulnerability will only be fixed if you set the corresponding rules in "\ data\ modules\ .htaccess". If you haven't set it up all the time, then the vulnerability will always exist.

[debug601]

I am willing to test for the future version of your project, and I will not repeat the submission of issue like this one. What do you think?

[BSteelooper]

When you have a module which has to have directly excecutable content such as a captcha this is not working with the .htaccess set. As this would limit the functionality of the modules section we designed it to allow executable code in the modules section.

Since you need the password to install a module there is not really a security risk... with the password you can do all kind of stuff.

[BSteelooper]

I am willing to test for the future version of your project, and I will not repeat the submission of issue like this one. What do you think?

We welcome you testing Pluck. It can only become better.

[BSteelooper]

The vulnerability will only be fixed if you set the corresponding rules in "\ data\ modules\ .htaccess". If you haven't set it up all the time, then the vulnerability will always exist.

When we do this, this would limit the functionality of the modules. If we don't include the allowoveride none you can simply include your own htaccess in the module to achieve this.

[debug601]

We welcome you testing Pluck. It can only become better.

yes

[debug601]

只有在"\ data\ modules\ .htaccess"中设置相应的规则时，才会修复此漏洞。如果您没有一直设置它，那么漏洞将始终存在。

当我们这样做时，这将限制模块的功能。如果我们不包含 allowoveride，您可以简单地在模块中包含您自己的 htacces 来实现这一点。

yes