File upload vuln pluck 4.7.10 dev version

Question

File upload vuln pluck 4.7.10 dev version

zhangdebiao opened this issue 5 years ago · comments

An issue was discovered in Pluck before 4.7.10 dev version. Remote PHP code execution is possible.
Do you hava a email? I send details to it.

Bas Steelooper · Answer 1 · Sun Jul 28 2019 05:11:20 GMT+0800 (China Standard Time)

You can send all pluck exploits to pluck-exploits@bas.xosc.nl

zhangdebiao · Answer 2 · Sun Jul 28 2019 11:02:35 GMT+0800 (China Standard Time)

Following are details of vulnerabilities in file upload
Location: https://github.com/pluck-cms/pluck/blob/master/data/inc/files.php
Code:

File upload only filters the suffixes'.php','php3','php4','php5','php6','php7','phtml', but ignores the'.pht'and'.phtm' files, while '.pht' and '.phtm' files can be parsed by Apache by default. Due to the inadequate filtering of file suffixes that prohibit uploading, an attacker can exploit this vulnerability to execute arbitrary code by uploading malicious files.

Step1. Upload a file phpinfo.pht.

File content: <?php phpinfo();?>

Upload Successful

Step2. Request

Malicious files are parsed as php, attacker can exploit this vulnerability to execute arbitrary code by uploading malicious files.

Bas Steelooper · Answer 3 · Thu Aug 01 2019 18:27:18 GMT+0800 (China Standard Time)

I created a new release with a fix. can you check?
pluck-4.7.10-dev1.tar.gz

zhangdebiao · Answer 4 · Thu Aug 01 2019 22:23:33 GMT+0800 (China Standard Time)

The vulnerability in this version has been fixed.If find other vulns, I will tell you immediately.

…

------------------ 原始邮件 ------------------ 发件人: "Bas Steelooper"<notifications@github.com>; 发送时间: 2019年8月1日(星期四) 晚上6:27 收件人: "pluck-cms/pluck"<pluck@noreply.github.com>; 抄送: "你吃啥呢"<843345000@qq.com>;"State change"<state_change@noreply.github.com>; 主题: Re: [pluck-cms/pluck] File upload vuln pluck 4.7.10 dev version (#78) I created a new release with a fix. can you check? pluck-4.7.10-dev1.tar.gz — You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub, or mute the thread.