New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Pluck-4.7.11 admin background exists a remote command execution vulnerability when uploading files #91
Comments
BSteelooper
added a commit
that referenced
this issue
Dec 19, 2019
|
Thanks... good find... Missed this in the testing. .htaccess will now be ignored when uploaded. |
|
Could you try the https://github.com/pluck-cms/pluck/tree/4.7.12-dev1 release? |
|
can bypass like this |
BSteelooper
added a commit
that referenced
this issue
Dec 19, 2019
|
|
could you do a retest with version https://github.com/pluck-cms/pluck/tree/4.7.12-dev2 |
|
|
And you should solve this too. cont2 is vulnable |
|
Ok.. I’ll try to find a solution for the windows mishaps |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment





Pluck-4.7.11 admin background exists a remote command execution vulnerability when uploading files
Proof

step1: login -> pages -> manage files
upload .htaccess file to turn files/.htaccess to .htaccess.txt
step2: throw .htaccess.txt into trash

step3: upload shell code

step4: view http://127.0.0.1/pluck4711/files/pass07.php

The text was updated successfully, but these errors were encountered: