Headline
CVE-2020-29607: Remote Code Execution via File Upload Restriction Bypass · Issue #96 · pluck-cms/pluck
A file upload restriction bypass vulnerability in Pluck CMS before 4.7.13 allows an admin privileged user to gain access in the host through the “manage files” functionality, which may result in remote code execution.
Comments
Vulnerability Description
I have observed that it is possible to upload php file on the system through manage files
functionality which leads to compromise the system. As I’m able to upload malicious php file with .phar
extension, and able to execute php code on the server.
Observation
On line 44-45 of files.php
, I observed that the application uses blacklist extensions to restrict the php malicious file which can be easily bypassed with .phar
extension.
Steps to Reproduce
- Login into the application’s admin panel.
- Navigate to the
http://<server>/admin.php?action=files
. - Now upload the php file with
.phar
extension, for e.g.info.phar
.
- After uploading the php file, navigate to the
http://<server>/files/info.phar
.
Mitigation
- Rename the uploaded files to some random filenames, remove the file extension and then append your allowed file extension.
- Whitelisted extension approach should be applied instead of blacklisting.
- Correct use of
.htaccess
should be applied as shown below for preventing the php file execution in upload directory.
Reference
https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload
https://www.php.net/manual/en/apache.configuration.php
Tested Version: 4.7.13****Vulnerable Version <= 4.7.13****Note: This is bypass of previous discovered File Upload vulnerability.
BSteelooper added a commit that referenced this issue
Dec 2, 2020
From issue #96 the suggestion is to disable the php engine completely.
BSteelooper added a commit that referenced this issue
Dec 2, 2020
Added .phar to the blocked extensions per issue #96
Thank you for your find.
The files upload exists to have users add all types of files to their website for download. Whitelisting is difficult since I don’t know what they want to upload. this is why we took the blacklist route.
I am playing with the idea to have a minimal whitelist which the user can extent from the gut, but this makes it again possible to upload files with an executable context.
I added the php_flag. I was not aware of this option thank you.
On a side note, since the password needs to be known to exploit this, it is a deliberate upload, and this is not to be stopped, since there are always ways to achieve this.
Could you try the latest development release?
Hi @BSteelooper, php_flag
in .htaccess
file set correctly, so now it is not possible to execute php files from files
directory.
Also, it is not possible to upload .phar
extension file through manage files
functionality.
Thanks for the quick fix @BSteelooper
Tested Version: 4.7.14 dev 1
Thank you for testing. I’ll push the release later today
@BSteelooper Can you confirm if this is the same issue as #91? That ticket was closed but not with a fixing commit or PR. Thanks!
@BSteelooper Can you confirm if this is the same issue as #91? That ticket was closed but not with a fixing commit or PR. Thanks!
This is not the same issue. in issue #91 there was a bug which allowed overwrite of the .htaccess file with a blank file which would remove the protections