You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
<?php// ......$blockedExtentions = array('.php','php3','php4','php5','php6','php7','phtml');
if (in_array($lastfour, $blockedExtentions) or in_array($lastfive, $blockedExtentions) ){
if (!rename('files/'.latinOnlyInput($_FILES['filefile']['name']), 'files/'.latinOnlyInput($_FILES['filefile']['name']).'.txt')){
show_error($lang['general']['upload_failed'], 1);
}
chmod('files/'.latinOnlyInput($_FILES['filefile']['name']).'.txt', 0775);
}else{
chmod('files/'.latinOnlyInput($_FILES['filefile']['name']), 0775);
}
// ......?>
When the uploaded file hits the suffix in $blockedExtentions, the file will be renamed to .{ext}.txt, and missed $blockedExtentions will not be renamed. So you can upload a webshell by overriding the .htaccess file.
Step1. Upload a file .htaccess
File content:
Step2. Upload file phpinfo.txt
File content:
Step3. Request
The text was updated successfully, but these errors were encountered:
I classified this as an invalid. This is not a security concern. With the password there are easier ways to deface or take-over the website.
The inclusion of the .htaccess is a server setting to have this allowed or not. In my setup SetHandler is never allowed from .htaccess and only from the vhost.
Location: https://github.com/pluck-cms/pluck/blob/master/data/inc/files.php#L40
Code:
When the uploaded file hits the suffix in
$blockedExtentions
, the file will be renamed to.{ext}.txt
, and missed$blockedExtentions
will not be renamed. So you can upload a webshell by overriding the.htaccess
file.Step1. Upload a file
.htaccess
File content:
Step2. Upload file
phpinfo.txt
File content:
Step3. Request
The text was updated successfully, but these errors were encountered: