Pluck 4.7.15 - Missing SSL Certificate Validation in update_applet.php

Question

naiagoesawoo opened this issue 3 years ago · comments

Issue Summary
Pluck's update system deliberately skips SSL certificate validation.

Detailed Description
Within update_applet.php is the following code:

		// Dont check ssl certifical
		curl_setopt($geturl, CURLOPT_SSL_VERIFYPEER, false);

This ensures peer SSL certificates are never valdiated.

Impact
In theory, this vulnerability can make the Pluck's update system susceptible to Man-in-the-middle attacks.

Bas Steelooper · Answer 1 · Tue Apr 27 2021 01:10:51 GMT+0800 (China Standard Time)

Could you perform a retest with the latest dev version?

Naia Ōkami · Answer 2 · Tue Apr 27 2021 01:42:25 GMT+0800 (China Standard Time)

Hello,

I confirm that the reported missing SSL Certificate Validation issue has been fixed. :)

debug601 · Answer 3 · Sun Dec 26 2021 12:06:21 GMT+0800 (China Standard Time)

你好

我确认报告的缺少SSL证书验证问题已修复。:)

Boss, how did you apply for the cve number?