file-upload vulnerability in data/inc/files.php

[Dk0n9]

Location: https://github.com/pluck-cms/pluck/blob/master/data/inc/files.php#L40

Code:

<?php
	// ......
	$blockedExtentions = array('.php','php3','php4','php5','php6','php7','phtml');
			if (in_array($lastfour, $blockedExtentions) or in_array($lastfive, $blockedExtentions) ){
				if (!rename('files/'.latinOnlyInput($_FILES['filefile']['name']), 'files/'.latinOnlyInput($_FILES['filefile']['name']).'.txt')){
					show_error($lang['general']['upload_failed'], 1);
				}
				chmod('files/'.latinOnlyInput($_FILES['filefile']['name']).'.txt', 0775);
			}else{
				chmod('files/'.latinOnlyInput($_FILES['filefile']['name']), 0775);
			}
	// ......
?>

When the uploaded file hits the suffix in $blockedExtentions, the file will be renamed to .{ext}.txt, and missed $blockedExtentions will not be renamed. So you can upload a webshell by overriding the .htaccess file.

Step1. Upload a file .htaccess

File content:

Step2. Upload file phpinfo.txt

File content:

Step3. Request

[Dk0n9]

This was assigned CVE-2019-11344.

Credit: dk from Chaitin Tech

[BSteelooper]

pluck-4.7.9-dev2.tar.gz
Can you try the latest checkout?

[BSteelooper]

I classified this as an invalid. This is not a security concern. With the password there are easier ways to deface or take-over the website.
The inclusion of the .htaccess is a server setting to have this allowed or not. In my setup SetHandler is never allowed from .htaccess and only from the vhost.

[BSteelooper]

Fixed it in this latest release
pluck-4.7.9-dev3.tar.gz