search

pluck-cms / pluck

Central repo for pluck cms
http://www.pluck-cms.org
54 stars 37 forks source link

Pluck-4.7.10-dev2 admin background exists a remote command execution vulnerability in the management file interface. #83

Closed Lilc1 closed 4 years ago

Lilc1 commented 4 years ago

Vulnerability location: /data/inc/file.php line:42 image If the file name is '.htaccess', the strpos function returns a result of 0. Demo: Upload these two files in the management file interface. image image

Access in /files/1.txt. image Successful execution. Then upload attack code. image image Successfully obtained the shell. Poc:

.htaccess
<FilesMatch "1">
SetHandler application/x-httpd-php
</FilesMatch>
Lilc1 commented 4 years ago

You can upload these two files through the csrf vulnerability, even without logging in to the background.

BSteelooper commented 4 years ago

Could you please test the latest dev release 4.7.10-dev4? https://github.com/pluck-cms/pluck/releases/tag/4.7.10-dev4

Lilc1 commented 4 years ago

您能否测试最新的开发版本4.7.10-dev4? https://github.com/pluck-cms/pluck/releases/tag/4.7.10-dev4

All right!

BSteelooper commented 4 years ago

Have you retested with the latest dev version?

Lilc1 commented 4 years ago

Have you retested with the latest dev version?

Can you apply for a CVE ID for me? Steps: https://help.github.com/en/github/managing-security-vulnerabilities/publishing-a-security-advisory#requesting-a-cve-identification-number