Pluck-4.7.10-dev2 admin background exists a remote command execution vulnerability in the management file interface.

[Lilc1]

Vulnerability location：
/data/inc/file.php line:42

If the file name is '.htaccess', the strpos function returns a result of 0.
Demo:
Upload these two files in the management file interface.

Access in /files/1.txt.

Successful execution.
Then upload attack code.


Successfully obtained the shell.
Poc：

.htaccess
<FilesMatch "1">
SetHandler application/x-httpd-php
</FilesMatch>

[Lilc1]

You can upload these two files through the csrf vulnerability, even without logging in to the background.

[BSteelooper]

Could you please test the latest dev release 4.7.10-dev4?
https://github.com/pluck-cms/pluck/releases/tag/4.7.10-dev4

[Lilc1]

您能否测试最新的开发版本4.7.10-dev4？
https://github.com/pluck-cms/pluck/releases/tag/4.7.10-dev4

All right!

[BSteelooper]

Have you retested with the latest dev version?

[Lilc1]

Have you retested with the latest dev version?

Can you apply for a CVE ID for me? Steps: https://help.github.com/en/github/managing-security-vulnerabilities/publishing-a-security-advisory#requesting-a-cve-identification-number