Pluck-4.7.10-dev2 admin background exists a remote command execution vulnerability in the management file interface.
Lilc1 opened this issue · comments
Vulnerability location:
/data/inc/file.php line:42
If the file name is '.htaccess', the strpos function returns a result of 0.
Demo:
Upload these two files in the management file interface.
Access in /files/1.txt.
Successful execution.
Then upload attack code.
Successfully obtained the shell.
Poc:
.htaccess
<FilesMatch "1">
SetHandler application/x-httpd-php
</FilesMatch>
You can upload these two files through the csrf vulnerability, even without logging in to the background.
Could you please test the latest dev release 4.7.10-dev4?
https://github.com/pluck-cms/pluck/releases/tag/4.7.10-dev4
您能否测试最新的开发版本4.7.10-dev4?
https://github.com/pluck-cms/pluck/releases/tag/4.7.10-dev4
All right!
Have you retested with the latest dev version?
Have you retested with the latest dev version?
Can you apply for a CVE ID for me? Steps: https://help.github.com/en/github/managing-security-vulnerabilities/publishing-a-security-advisory#requesting-a-cve-identification-number