Pluck-4.7.10-dev2 admin background exists a remote command execution vulnerability when uploading files

Question

Pluck-4.7.10-dev2 admin background exists a remote command execution vulnerability when uploading files

F1sh1001 opened this issue 5 years ago · comments

F1sh1001 commented 5 years ago

This vulnerability applies to php5.2. X

After the installation is successful, go to the management background

Then upload shell.php, It will be changed to shell.php.txt

Then upload shell.php again

Shell.php has not been changed to shell.php.txt

then view shell.php

Bas Steelooper · Answer 1 · Mon Oct 21 2019 20:52:47 GMT+0800 (China Standard Time)

As you state this is an issue with php 5.2.x this doesn't exist in php7. php5 is not longer supported by php (see https://www.php.net/supported-versions.php) and we cannot maintain versions which are no longer supported.

I have updated the minimal requirements to version 7 but it will work so I included a warning message that an insecure php version is used.

Will be in the next release