CVE-2020-29607
📋 TL;DR
This vulnerability allows an authenticated admin user in Pluck CMS to bypass file upload restrictions, potentially uploading malicious files that could lead to remote code execution. It affects Pluck CMS installations before version 4.7.13 where admin users have access to the 'manage files' functionality.
💻 Affected Systems
- Pluck CMS
📦 What is this software?
Pluck by Pluck Cms
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise through remote code execution, allowing attackers to execute arbitrary commands, steal data, install malware, or pivot to other systems.
Likely Case
Unauthorized file upload leading to web shell deployment, data exfiltration, or website defacement by malicious admin users or attackers who compromise admin credentials.
If Mitigated
Limited impact with proper file upload validation, restricted admin privileges, and network segmentation preventing lateral movement.
🎯 Exploit Status
Exploits require admin credentials. Multiple public proof-of-concept exploits demonstrate file upload bypass leading to web shell deployment.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.7.13
Vendor Advisory: https://github.com/pluck-cms/pluck/issues/96
Restart Required: No
Instructions:
1. Backup your Pluck CMS installation and database. 2. Download Pluck CMS version 4.7.13 or later from the official repository. 3. Replace all files with the new version, preserving your data directory and configuration. 4. Verify the update by checking the version in the admin panel.
🔧 Temporary Workarounds
Restrict File Upload Types
allImplement server-side validation to block upload of executable files like .php, .phtml, .php5, .php7
# Configure web server (Apache example) to block PHP execution in upload directories
<Directory "/path/to/pluck/data/files">
php_flag engine off
</Directory>
# Nginx example
location ~* ^/data/files/.*\.(php|php5|php7|phtml)$ {
deny all;
}
Remove Admin File Management
allTemporarily disable or restrict the 'manage files' functionality for admin users
# Modify Pluck CMS admin interface to remove file upload capability
# Edit admin.php or relevant files to comment out file upload sections
🧯 If You Can't Patch
- Implement strict file upload validation at the web server level to block all executable file types
- Restrict admin user access and implement multi-factor authentication for admin accounts
🔍 How to Verify
Check if Vulnerable:
Check Pluck CMS version in admin panel or by examining version.php file. If version is below 4.7.13, the system is vulnerable.Check Version:
cat /path/to/pluck/version.php | grep "define('VERSION'"Verify Fix Applied:
Verify version is 4.7.13 or higher in admin panel. Test file upload functionality with restricted file types to ensure proper validation.📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads to data/files directory
- Admin user uploading unexpected file types (.php, .phtml, etc.)
- Multiple failed upload attempts followed by successful upload
Network Indicators:
- HTTP POST requests to /admin.php?action=files with file uploads
- Unusual outbound connections from web server following file uploads
SIEM Query:
source="web_logs" (url="*admin.php*action=files*" AND method="POST") | stats count by src_ip, user_agent🔗 References
- http://packetstormsecurity.com/files/162785/Pluck-CMS-4.7.13-Remote-Shell-Upload.html
- https://github.com/Hacker5preme/Exploits/tree/main/CVE-2020-29607-Exploit
- https://github.com/MarkLee131/awesome-web-pocs/blob/main/CVE-2020-29607.md
- https://github.com/pluck-cms/pluck/issues/96
- http://packetstormsecurity.com/files/162785/Pluck-CMS-4.7.13-Remote-Shell-Upload.html
- https://github.com/Hacker5preme/Exploits/tree/main/CVE-2020-29607-Exploit
- https://github.com/pluck-cms/pluck/issues/96
