File upload vuln pluck 4.7.10 dev version
zhangdebiao opened this issue · comments
An issue was discovered in Pluck before 4.7.10 dev version. Remote PHP code execution is possible.
Do you hava a email? I send details to it.
You can send all pluck exploits to pluck-exploits@bas.xosc.nl
Following are details of vulnerabilities in file upload
Location: https://github.com/pluck-cms/pluck/blob/master/data/inc/files.php
Code:
File upload only filters the suffixes'.php','php3','php4','php5','php6','php7','phtml', but ignores the'.pht'and'.phtm' files, while '.pht' and '.phtm' files can be parsed by Apache by default. Due to the inadequate filtering of file suffixes that prohibit uploading, an attacker can exploit this vulnerability to execute arbitrary code by uploading malicious files.
Step1. Upload a file phpinfo.pht.
File content: <?php phpinfo();?>
Upload Successful
Step2. Request
Malicious files are parsed as php, attacker can exploit this vulnerability to execute arbitrary code by uploading malicious files.
I created a new release with a fix. can you check?
pluck-4.7.10-dev1.tar.gz