pluck-cms / pluck

Central repo for pluck cms

Home Page:http://www.pluck-cms.org

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Billion Laugh Attack found on pluck 4.7.9 dev3

security-breachlock opened this issue · comments

Description: The Billion Laughs attack is a denial-of-service attack that targets XML parsers. The Billion Laughs attack is also known as an XML bomb, or more esoterically, the exponential entity expansion attack. A Billion Laughs attack can occur even when using well-formed XML and can also pass XML schema validation. For this reason, it may sometimes be tricky to figure out how to mitigate the threat of the Billion Laughs attack when working with different XML parsers.

Vulnerability Name:- Billion Laugh Attack
Vulnerable URL:- http://localhost/pluck-4.7.9-dev3/pluck-4.7.9-dev3/files/xxe.xml

Discovered by: BreachLock

Website: https://www.breachlock.com

Author: Rahul Kumar Rai

Proof of concept:
Step1: Login into the pluck-4.7.9-dev3 using the admin role.
Step2: Go to the pages option and click there, you will get an option of manage files. Then browse the .xml extension file where the crafted code is written inside. Then click on upload.
image

Step3: After uploading the file, just click on the search box. It is shown below.

image

Step4: Here .xml file get executed.

image

That file is not part of Pluck. The manage files is for the maintenance of files to host / use in your Website.
Since there is no xml parser in Pluck this is invalid for pluck...

@security-breachlock you can upload nearly everything through the file manager.. try uploading Eicar and it will not trigger anything.. why, Pluck is not an antivirus, it is a CMS.

Also before reporting an security bug/ exploit read about the exploit and if pluck is targeted or not. For instance this report is not targeting pluck. It allows you to host a file ( a proof of concept for a security researcher for instance )
This is under the responsibility of the owner of the website. They need to keep the password secure for their website and if they do everything you find with uploading files is NOT possible.