Pluck-4.7.10 admin background exists a remote command execution vulnerability

Question

Pluck-4.7.10 admin background exists a remote command execution vulnerability

2A806 opened this issue 5 years ago · comments

it happens when restore file from trashcan,and the restoring file has the same with one of the files in uploaded files dir
the coding flaw is in file /pluck/data/inc/trashcan_restoreitem.php at line 54

when $var1 is 'shell.php.txt', here $filename will get value 'shell' and $extension will get value 'php', and then concat with the string '_copy' we will get the final filename with 'shell_copy.php'

Proof
step1: login -> pages -> manage files
upload file with name shell.php.txt

upload success

step2: delete file to trashcan

step3: upload the same file again

step4: restore the file from trashcan, and the restored file is renamed as shell_copy.php

step5: visit webshell

note: operate with "manage images" can do the same as it has the same coding flaw at line 76

Bas Steelooper · Answer 1 · Wed Oct 23 2019 12:28:32 GMT+0800 (China Standard Time)

I drafted a new release : https://github.com/pluck-cms/pluck/releases/tag/4.7.10-dev5
Could you please retest?

Bas Steelooper · Answer 2 · Wed Oct 23 2019 12:37:20 GMT+0800 (China Standard Time)

There is a typeerror that there is a . added to the end of the line. This is resolved in repo but didn't get into the release. it will be in the next one.

bacong · Answer 3 · Wed Oct 23 2019 13:36:25 GMT+0800 (China Standard Time)

you should remove this too.