Pluck-4.7.10 admin background exists a remote command execution vulnerability

[2A806]

Pluck-4.7.10 admin background exists a remote command execution vulnerability

it happens when restore file from trashcan,and the restoring file has the same with one of the files in uploaded files dir the coding flaw is in file /pluck/data/inc/trashcan_restoreitem.php at line 54 when $var1 is 'shell.php.txt', here $filename will get value 'shell' and $extension will get value 'php', and then concat with the string '_copy' we will get the final filename with 'shell_copy.php'

Proof step1: login -> pages -> manage files upload file with name shell.php.txt upload success

step2: delete file to trashcan

step3: upload the same file again

step4: restore the file from trashcan, and the restored file is renamed as shell_copy.php

step5: visit webshell

note: operate with "manage images" can do the same as it has the same coding flaw at line 76

[BSteelooper]

I drafted a new release : https://github.com/pluck-cms/pluck/releases/tag/4.7.10-dev5 Could you please retest?

[BSteelooper]

There is a typeerror that there is a . added to the end of the line. This is resolved in repo but didn't get into the release. it will be in the next one.

[2A806]

you should remove this too.