In PluXml v5.8.16 or lower, after logging in to the backend, there are any file modifications that can cause a Trojan to be written, causing RCE and posing a great threat to the server. #829
Comments
|
That is not a trouble, why would an administrator load a trojan in its own site ? Are you of that kind yourself ? |
|
What I mean is that after logging in, the attacker obtains the login backend of the website and can use social workers or weak passwords to take down the website shell |
|
okay, i understand but this is not specific to PluXml and why the administrator would do such a thing? If the issue is about a weak password, again this is not PluXml, but the USER. Or like i like to say, that weird thing standing in betwwen the chair and the keyboard ;) |
|
OK, I understand. I think this Theme edit function should only be able to edit Theme files, not be able to modify other files across levels. |
Software Link :https://github.com/pluxml/PluXml
Website : https://pluxml.org/After
the installation is complete, log in as admin, open the page
Here you can modify the theme code in the theme folder.
Request packet capture, try to modify the parameter template to: ../../index.php
What is returned at this time is the content of index.php. We try to modify the file content.
Request packet capture and change the parameter tpl to: ../../index.php
Successful echo.
Write Trojan.
get shell.
The cause of this vulnerability is that $filename is not strictly judged in the project's core/admin/parametres_edittpl.php, which allows users to splice paths to read and modify arbitrary files.
The text was updated successfully, but these errors were encountered: