File upload vuln pluck 4.7.10 dev version

[zhangdebiao]

An issue was discovered in Pluck before 4.7.10 dev version. Remote PHP code execution is possible. Do you hava a email? I send details to it.

[BSteelooper]

You can send all pluck exploits to pluck-exploits@bas.xosc.nl

[zhangdebiao]

Following are details of vulnerabilities in file upload Location: https://github.com/pluck-cms/pluck/blob/master/data/inc/files.php Code: File upload only filters the suffixes'.php','php3','php4','php5','php6','php7','phtml', but ignores the'.pht'and'.phtm' files, while '.pht' and '.phtm' files can be parsed by Apache by default. Due to the inadequate filtering of file suffixes that prohibit uploading, an attacker can exploit this vulnerability to execute arbitrary code by uploading malicious files.

Step1. Upload a file phpinfo.pht.

File content: <?php phpinfo();?>

Upload Successful

Step2. Request

Malicious files are parsed as php, attacker can exploit this vulnerability to execute arbitrary code by uploading malicious files.

[BSteelooper]

I created a new release with a fix. can you check? pluck-4.7.10-dev1.tar.gz

[zhangdebiao]

The vulnerability in this version has been fixed.If find other vulns, I will tell you immediately.

------------------ 原始邮件 ------------------ 发件人: "Bas Steelooper"notifications@github.com; 发送时间: 2019年8月1日(星期四) 晚上6:27 收件人: "pluck-cms/pluck"pluck@noreply.github.com; 抄送: "你吃啥呢"843345000@qq.com;"State change"state_change@noreply.github.com; 主题: Re: [pluck-cms/pluck] File upload vuln pluck 4.7.10 dev version (#78)

I created a new release with a fix. can you check? pluck-4.7.10-dev1.tar.gz

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub, or mute the thread.