Closed F1sh1001 closed 4 years ago
Where did you insert the script?? it is a javascript so it only resides in the client. The /h1 wil not appear in the file on disk..
Please explain more.
After the adminisstrator open the csrf exp page,then a new page called evil will be added to your website.
Could you please test the latest dev release 4.7.10-dev4? https://github.com/pluck-cms/pluck/releases/tag/4.7.10-dev4
Have you retested with the latest dev version?
Sorry, I don't have much time. I'll try if I have time
------------------ 原始邮件 ------------------ 发件人: "Bas Steelooper"<notifications@github.com>; 发送时间: 2019年10月22日(星期二) 下午3:19 收件人: "pluck-cms/pluck"<pluck@noreply.github.com>; 抄送: "1113402387"<1113402387@qq.com>; "Author"<author@noreply.github.com>; 主题: Re: [pluck-cms/pluck] An issue was discovered in Pluck 4.7.10-dev2. There is a CSRF vulnerability that can editpage via a /admin.php?action=editpage (#81)
Have you retested with the latest dev version?
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or unsubscribe.
CSRF POC: