<?php// ......$blockedExtentions = array('.php','php3','php4','php5','php6','php7','phtml');
if (in_array($lastfour, $blockedExtentions) or in_array($lastfive, $blockedExtentions) ){
if (!rename('files/'.latinOnlyInput($_FILES['filefile']['name']), 'files/'.latinOnlyInput($_FILES['filefile']['name']).'.txt')){
show_error($lang['general']['upload_failed'], 1);
}
chmod('files/'.latinOnlyInput($_FILES['filefile']['name']).'.txt', 0775);
}else{
chmod('files/'.latinOnlyInput($_FILES['filefile']['name']), 0775);
}
// ......?>
When the uploaded file hits the suffix in $blockedExtentions, the file will be renamed to .{ext}.txt, and missed $blockedExtentions will not be renamed. So you can upload a webshell by overriding the .htaccess file.
Step1. Upload a file .htaccess
File content:
Step2. Upload file phpinfo.txt
File content:
Step3. Request
The text was updated successfully, but these errors were encountered:
I classified this as an invalid. This is not a security concern. With the password there are easier ways to deface or take-over the website.
The inclusion of the .htaccess is a server setting to have this allowed or not. In my setup SetHandler is never allowed from .htaccess and only from the vhost.
Location: https://github.com/pluck-cms/pluck/blob/master/data/inc/files.php#L40
Code:
When the uploaded file hits the suffix in
$blockedExtentions, the file will be renamed to.{ext}.txt, and missed$blockedExtentionswill not be renamed. So you can upload a webshell by overriding the.htaccessfile.Step1. Upload a file
.htaccessFile content:
Step2. Upload file
phpinfo.txtFile content:
Step3. Request
The text was updated successfully, but these errors were encountered: