Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

In PluXml v5.8.16 or lower, after logging in to the backend, there are any file modifications that can cause a Trojan to be written, causing RCE and posing a great threat to the server. #829

Closed
4everwl opened this issue Sep 12, 2024 · 4 comments

Comments

@4everwl
Copy link

4everwl commented Sep 12, 2024

Software Link :https://github.com/pluxml/PluXml
Website : https://pluxml.org/After
the installation is complete, log in as admin, open the page

image-20240912190643650

Here you can modify the theme code in the theme folder.

image-20240912190747756

Request packet capture, try to modify the parameter template to: ../../index.php

image-20240912190840518

What is returned at this time is the content of index.php. We try to modify the file content.

image-20240912190945770

image-20240912191037707

Request packet capture and change the parameter tpl to: ../../index.php

image-20240912191122494

Successful echo.

image-20240912191229824

Write Trojan.

image-20240912191359639

get shell.

image-20240912191447074

image-20240912192443226

The cause of this vulnerability is that $filename is not strictly judged in the project's core/admin/parametres_edittpl.php, which allows users to splice paths to read and modify arbitrary files.

image-20240912191949526

@gcyrillus
Copy link
Contributor

gcyrillus commented Oct 20, 2024

That is not a trouble, why would an administrator load a trojan in its own site ? Are you of that kind yourself ?
If we follow your way of thinking, the whole administration itself is dangerous, hey, i can add a new article and even configure the CMS as I wish !

@4everwl
Copy link
Author

4everwl commented Oct 21, 2024

What I mean is that after logging in, the attacker obtains the login backend of the website and can use social workers or weak passwords to take down the website shell

@gcyrillus
Copy link
Contributor

okay, i understand but this is not specific to PluXml and why the administrator would do such a thing? If the issue is about a weak password, again this is not PluXml, but the USER. Or like i like to say, that weird thing standing in betwwen the chair and the keyboard ;)
There is a plugin that can make it harder to login, even with a weak password : https://kazimentou.fr/repo/index.php?plugin=kzOtPHP&download
But however , if both datas are stolen, or lost then found, there is nothing to be done to avoid someone else to log in. It can actually happen to any digital account one has. If i'm wrong or missed something, do not hesitate to tell me and forget my misunderstanding :)

@4everwl
Copy link
Author

4everwl commented Oct 22, 2024

OK, I understand. I think this Theme edit function should only be able to edit Theme files, not be able to modify other files across levels.

@4everwl 4everwl closed this as completed Dec 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants