Pluck-4.7.10-dev2 admin background exists a remote command execution vulnerability in the management file interface.

Question

Pluck-4.7.10-dev2 admin background exists a remote command execution vulnerability in the management file interface.

Lilc1 opened this issue 5 years ago · comments

Vulnerability location：
/data/inc/file.php line:42

If the file name is '.htaccess', the strpos function returns a result of 0.
Demo:
Upload these two files in the management file interface.

Access in /files/1.txt.

Successful execution.
Then upload attack code.

Successfully obtained the shell.
Poc：

.htaccess
<FilesMatch "1">
SetHandler application/x-httpd-php
</FilesMatch>

l1l1l1l1l1l · Answer 1 · Mon Oct 21 2019 17:16:37 GMT+0800 (China Standard Time)

You can upload these two files through the csrf vulnerability, even without logging in to the background.

Bas Steelooper · Answer 2 · Mon Oct 21 2019 17:58:56 GMT+0800 (China Standard Time)

Could you please test the latest dev release 4.7.10-dev4?
https://github.com/pluck-cms/pluck/releases/tag/4.7.10-dev4

l1l1l1l1l1l · Answer 3 · Mon Oct 21 2019 18:01:20 GMT+0800 (China Standard Time)

您能否测试最新的开发版本4.7.10-dev4？
https://github.com/pluck-cms/pluck/releases/tag/4.7.10-dev4

All right!

Bas Steelooper · Answer 4 · Tue Oct 22 2019 15:20:22 GMT+0800 (China Standard Time)

Have you retested with the latest dev version?

l1l1l1l1l1l · Answer 5 · Fri May 01 2020 15:25:07 GMT+0800 (China Standard Time)

Have you retested with the latest dev version?

Can you apply for a CVE ID for me? Steps: https://help.github.com/en/github/managing-security-vulnerabilities/publishing-a-security-advisory#requesting-a-cve-identification-number