Pluck CMS Remote Code Execution Vulnerability in Albums Module

A remote code execution vulnerability has been identified in Pluck CMS version 4.7.20-dev. This issue allows authenticated attackers to upload or create malicious PHP files in the Albums module directory. The vulnerability arises from inadequate file type validation, enabling the execution of arbitrary PHP code through direct HTTP GET requests with user-controlled parameters.

Impact

Exploitation of this vulnerability allows for remote code execution on the server, with the executed code running in the context of the web server.

Reproduction

To reproduce this vulnerability, log in as an authenticated admin user on Pluck CMS 4.7.20-dev. Upload a PHP file disguised with an image file extension, such as '.jpg', through the Albums module. Once the file is uploaded, rename it to have a '.php' extension. The file can then be accessed via a crafted URL that includes a query parameter to execute arbitrary commands, such as 'id', triggering the remote code execution.

Remediation

To address this vulnerability, restrict the file types accepted by the Albums module to safe image MIME types. Consider moving uploaded files outside of the webroot or adding access restrictions, such as through a .htaccess file or a web application firewall. Additionally, sanitize and validate all uploaded content, and refactor the routing logic in 'albums.site.php' to prevent arbitrary file access.