Pluck-4.7.10-dev2 admin background exists a remote command execution vulnerability when uploading files

pluck-cms / pluck

Central repo for pluck cms

http://www.pluck-cms.org

54 stars 37 forks source link

Pluck-4.7.10-dev2 admin background exists a remote command execution vulnerability when uploading files #84

Closed F1sh1001 closed 4 years ago

F1sh1001 commented 4 years ago

This vulnerability applies to php5.2. X

After the installation is successful, go to the management background

Then upload shell.php, It will be changed to shell.php.txt

Then upload shell.php again

Shell.php has not been changed to shell.php.txt

then view shell.php

BSteelooper commented 4 years ago

As you state this is an issue with php 5.2.x this doesn't exist in php7. php5 is not longer supported by php (see https://www.php.net/supported-versions.php) and we cannot maintain versions which are no longer supported.

I have updated the minimal requirements to version 7 but it will work so I included a warning message that an insecure php version is used.

Will be in the next release