Pluck 4.7.15 - Missing SSL Certificate Validation in update_applet.php #101

naiagoesawoo · 2021-04-21T17:59:48Z

Issue Summary
Pluck's update system deliberately skips SSL certificate validation.

Detailed Description
Within update_applet.php is the following code:

		// Dont check ssl certifical
		curl_setopt($geturl, CURLOPT_SSL_VERIFYPEER, false);

This ensures peer SSL certificates are never valdiated.

Impact
In theory, this vulnerability can make the Pluck's update system susceptible to Man-in-the-middle attacks.

The text was updated successfully, but these errors were encountered:

BSteelooper · 2021-04-26T17:10:51Z

Could you perform a retest with the latest dev version?

naiagoesawoo · 2021-04-26T17:42:25Z

Hello,

I confirm that the reported missing SSL Certificate Validation issue has been fixed. :)

k0xx11 · 2021-12-26T04:06:21Z

你好

我确认报告的缺少SSL证书验证问题已修复。:)

Boss, how did you apply for the cve number?

naiagoesawoo changed the title ~~Missing SSL Certificate Validation in update_applet.php~~ Pluck 4.7.15 - Missing SSL Certificate Validation in update_applet.php Apr 21, 2021

BSteelooper added a commit that referenced this issue Apr 26, 2021

disable option to disable certcheck issue #101

ca3fae7

BSteelooper added bug Resolved labels Apr 26, 2021

naiagoesawoo closed this as completed Apr 26, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Pluck 4.7.15 - Missing SSL Certificate Validation in update_applet.php #101

Pluck 4.7.15 - Missing SSL Certificate Validation in update_applet.php #101

naiagoesawoo commented Apr 21, 2021

BSteelooper commented Apr 26, 2021

naiagoesawoo commented Apr 26, 2021

k0xx11 commented Dec 26, 2021

Pluck 4.7.15 - Missing SSL Certificate Validation in update_applet.php #101

Pluck 4.7.15 - Missing SSL Certificate Validation in update_applet.php #101

Comments

naiagoesawoo commented Apr 21, 2021

BSteelooper commented Apr 26, 2021

naiagoesawoo commented Apr 26, 2021

k0xx11 commented Dec 26, 2021