pluck-cms / pluck

Central repo for pluck cms

Home Page:http://www.pluck-cms.org

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Inclusion of files without authentication

m3n0sd0n4ld opened this issue · comments

Hello,

I sent you this vulnerability months ago and you have not answered me.

I leave it here, so that at least it is identified by the users in case someone wants to patch it (or take other measures).

I have detected that the file "albums_getimage.php" uses the parameter "?image=", it does not check that the file that is passed is an image file, making a remote and unauthenticated attacker manage to read the contents of arbitrary files (eg PHP, which can only be read at the server level).

Although in principle it does not seem that you can perform a path traversal (recursively backwards), if it can be done in the root of the album folder and forward, this could jeopardize some files customized by your end client (eg. a backup file of the password of Pluck CMS). It is also possible to list files and directories, so the attacker could list it just by accessing the directory and read it through that parameter.

Code albums_getimage.php:
1

Proof of concept:

From the administration panel, the existing albums are shown, being the "poc" album the one we are going to perform the proof of concept with:

2

Next, the file "poc.php" is shown, this file is generated through the title of the album, creating a PHP file whose content cannot be read.

3
4

But it is possible to read the content of this file through the following URL and parameter: http://192.168.174.140/data/modules/albums/albums_getimage.php?image=poc.php
5

By fuzzing techniques or directly visiting the folder (due to lack of an .htaccess file in this directory or other protection), the remote and unauthenticated attacker would manage to list relevant PHP files in the root folder of the album or in other folders generated by the CMS or the user himself.

In the following scenario, the Pluck CMS administrator has exposed a backup file of the application, this file contains hardcoded and encrypted administration panel password:
6

By reusing the vulnerable parameter and specifying the new directory and file "albums_getimage.php?image=poc/pass-backup.php", the attacker would be able to read the contents of this file and extract the password hash.
7

Bonus track

On the other hand, the Pluck CMS application lacks a proper password policy, which allows users to use poor passwords, increasing the chances of success in cracking the password hash.
8

In case of success, the remote attacker could hijack the application, achieving the compromise and seriously affecting the confidentiality, integrity and availability of the stored information.

It has also been detected that it is possible to upload PHP files from the file manager, the concatenation of vulnerabilities would gain access to the machine that deploys the application, increasing the scope of the attack and the possibility of lateral movement in the network.
9

Mitigation

Implement in the code some function that checks the type of files, using a white list for allowed image extensions (eg .png | .gif |jpeg...), thus preventing a malicious user from uploading other files that are not expected by the application.

Best regards,