Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

File upload vuln pluck4.7.7 #61

Closed
liao10086 opened this issue May 31, 2018 · 8 comments
Closed

File upload vuln pluck4.7.7 #61

liao10086 opened this issue May 31, 2018 · 8 comments

Comments

@liao10086
Copy link

An issue was discovered in Pluck before 4.7.7. Remote PHP code execution is possible.
Do you hava a email? I send details to it.

@BSteelooper
Copy link
Contributor

Is it also in the latest version?
My email is pluck[at]bas.xosc.nl

@liao10086
Copy link
Author

liao10086 commented May 31, 2018

author "liao" DBAPP
I found a file upload vuln in /data/inc/images.php in latest version.

image
line 39 .When I set my file type is image/jpg but file suffix not in $imagewhitelist ,I can still succeed in uploading files. The line 39 judge file suffix not in $imagewhitelist,the following statements are still executed,because line 39 "if" not a nested statement。
eg:

  1. Brupsuit send a image and rename
    image
    Display upload failed but the result is upload success.
    So I can uploading any file.

2.Upload new ".htaccess" to cover your ".htaccess"
I upload a php file,but it don't work.Because of the file ".hataccess",so I want to send a file cover it.
I send a image rename ".htaccess",
image
When I access the "phpinfo" file is error.
So I send an effective ".htaccess" file to cover it,just like this
image
3. upload phpinfo file
Now I send the phpinfo file by brupsuite
image
clike the file ,the php code execution
image
I hope you can fix it.
Best wishes

BSteelooper added a commit that referenced this issue May 31, 2018
@BSteelooper
Copy link
Contributor

I created a pre-release, can you try this?
pluck-4.7.7-dev1.tar.gz

BSteelooper added a commit that referenced this issue May 31, 2018
@BSteelooper
Copy link
Contributor

Found an issue with the previous release.
Please try this one.
pluck-4.7.7-dev2.tar.gz

@liao10086
Copy link
Author

liao10086 commented May 31, 2018

image
you can fix like it

@BSteelooper
Copy link
Contributor

That should be in the dev-2 version. See the second commit 673d605

@liao10086
Copy link
Author

oK

@BSteelooper
Copy link
Contributor

The issue is confirmed.

Threat level: LOW
Affected: Admin panel

file upload: Whitelist was not triggered properly

Remediation: Updated several files

Solved in 4.7.7 dev 2

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants