Pluck-4.7.10 admin background exists a remote command execution vulnerability
2A806 opened this issue · comments
Pluck-4.7.10 admin background exists a remote command execution vulnerability
it happens when restore file from trashcan,and the restoring file has the same with one of the files in uploaded files dir
the coding flaw is in file /pluck/data/inc/trashcan_restoreitem.php at line 54
when $var1 is 'shell.php.txt', here $filename will get value 'shell' and $extension will get value 'php', and then concat with the string '_copy' we will get the final filename with 'shell_copy.php'
Proof
step1: login -> pages -> manage files
upload file with name shell.php.txt
upload success
step2: delete file to trashcan
step3: upload the same file again
step4: restore the file from trashcan, and the restored file is renamed as shell_copy.php
note: operate with "manage images" can do the same as it has the same coding flaw at line 76
I drafted a new release : https://github.com/pluck-cms/pluck/releases/tag/4.7.10-dev5
Could you please retest?
There is a typeerror that there is a . added to the end of the line. This is resolved in repo but didn't get into the release. it will be in the next one.