File upload vuln pluck4.7.7

[liao10086]

An issue was discovered in Pluck before 4.7.7. Remote PHP code execution is possible. Do you hava a email? I send details to it.

[BSteelooper]

Is it also in the latest version? My email is pluck[at]bas.xosc.nl

[liao10086]

author "liao" DBAPP I found a file upload vuln in /data/inc/images.php in latest version.

line 39 .When I set my file type is image/jpg but file suffix not in $imagewhitelist ,I can still succeed in uploading files. The line 39 judge file suffix not in $imagewhitelist,the following statements are still executed，because line 39 "if" not a nested statement。 eg:

1. Brupsuit send a image and rename Display upload failed but the result is upload success. So I can uploading any file.

2.Upload new ".htaccess" to cover your ".htaccess" I upload a php file,but it don't work.Because of the file ".hataccess",so I want to send a file cover it. I send a image rename ".htaccess", When I access the "phpinfo" file is error. So I send an effective ".htaccess" file to cover it,just like this

3. upload phpinfo file Now I send the phpinfo file by brupsuite clike the file ,the php code execution I hope you can fix it. Best wishes

[BSteelooper]

I created a pre-release, can you try this? pluck-4.7.7-dev1.tar.gz

[BSteelooper]

Found an issue with the previous release. Please try this one. pluck-4.7.7-dev2.tar.gz

[liao10086]

you can fix like it

[BSteelooper]

That should be in the dev-2 version. See the second commit https://github.com/pluck-cms/pluck/commit/673d605b917db70a1134eb60385f4581e8ee3e0f

[liao10086]

oK

[BSteelooper]

The issue is confirmed.

Threat level: LOW Affected: Admin panel

file upload: Whitelist was not triggered properly

Remediation: Updated several files

Solved in 4.7.7 dev 2