Closed 2A806 closed 4 years ago
I drafted a new release : https://github.com/pluck-cms/pluck/releases/tag/4.7.10-dev5 Could you please retest?
There is a typeerror that there is a . added to the end of the line. This is resolved in repo but didn't get into the release. it will be in the next one.
you should remove this too.
Pluck-4.7.10 admin background exists a remote command execution vulnerability
it happens when restore file from trashcan,and the restoring file has the same with one of the files in uploaded files dir the coding flaw is in file /pluck/data/inc/trashcan_restoreitem.php at line 54 when $var1 is 'shell.php.txt', here $filename will get value 'shell' and $extension will get value 'php', and then concat with the string '_copy' we will get the final filename with 'shell_copy.php'
Proof step1: login -> pages -> manage files upload file with name shell.php.txt upload success
step2: delete file to trashcan
step3: upload the same file again
step4: restore the file from trashcan, and the restored file is renamed as shell_copy.php
step5: visit webshell
note: operate with "manage images" can do the same as it has the same coding flaw at line 76