Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2020-29607: Remote Code Execution via File Upload Restriction Bypass · Issue #96 · pluck-cms/pluck

A file upload restriction bypass vulnerability in Pluck CMS before 4.7.13 allows an admin privileged user to gain access in the host through the “manage files” functionality, which may result in remote code execution.

CVE
#vulnerability#web#apache#git

Comments

@loopspell

Vulnerability Description

I have observed that it is possible to upload php file on the system through manage files functionality which leads to compromise the system. As I’m able to upload malicious php file with .phar extension, and able to execute php code on the server.

Observation

On line 44-45 of files.php, I observed that the application uses blacklist extensions to restrict the php malicious file which can be easily bypassed with .phar extension.

Steps to Reproduce

  1. Login into the application’s admin panel.
  2. Navigate to the http://<server>/admin.php?action=files.
  3. Now upload the php file with .phar extension, for e.g. info.phar.

1

  1. After uploading the php file, navigate to the http://<server>/files/info.phar.

2

Mitigation

  • Rename the uploaded files to some random filenames, remove the file extension and then append your allowed file extension.
  • Whitelisted extension approach should be applied instead of blacklisting.
  • Correct use of .htaccess should be applied as shown below for preventing the php file execution in upload directory.

Reference

https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload
https://www.php.net/manual/en/apache.configuration.php

Tested Version: 4.7.13****Vulnerable Version <= 4.7.13****Note: This is bypass of previous discovered File Upload vulnerability.

BSteelooper added a commit that referenced this issue

Dec 2, 2020

@BSteelooper

From issue #96 the suggestion is to disable the php engine completely.

BSteelooper added a commit that referenced this issue

Dec 2, 2020

@BSteelooper

Added .phar to the blocked extensions per issue #96

@BSteelooper

Thank you for your find.
The files upload exists to have users add all types of files to their website for download. Whitelisting is difficult since I don’t know what they want to upload. this is why we took the blacklist route.

I am playing with the idea to have a minimal whitelist which the user can extent from the gut, but this makes it again possible to upload files with an executable context.

I added the php_flag. I was not aware of this option thank you.

On a side note, since the password needs to be known to exploit this, it is a deliberate upload, and this is not to be stopped, since there are always ways to achieve this.

@BSteelooper

Could you try the latest development release?

@loopspell

Hi @BSteelooper, php_flag in .htaccess file set correctly, so now it is not possible to execute php files from files directory.
Also, it is not possible to upload .phar extension file through manage files functionality.
Thanks for the quick fix @BSteelooper

Tested Version: 4.7.14 dev 1

@BSteelooper

Thank you for testing. I’ll push the release later today

@attritionorg

@BSteelooper Can you confirm if this is the same issue as #91? That ticket was closed but not with a fixing commit or PR. Thanks!

@BSteelooper

@BSteelooper Can you confirm if this is the same issue as #91? That ticket was closed but not with a fixing commit or PR. Thanks!

This is not the same issue. in issue #91 there was a bug which allowed overwrite of the .htaccess file with a blank file which would remove the protections

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907