CVE-2018-11736
published 2018-06-05CVE-2018-11736: An issue was discovered in Pluck before 4.7.7-dev2. /data/inc/images.php allows remote attackers to upload and execute arbitrary PHP code by using the…
PriorityP270critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
8.57%
94.4th percentile
An issue was discovered in Pluck before 4.7.7-dev2. /data/inc/images.php allows remote attackers to upload and execute arbitrary PHP code by using the image/jpeg content type for a .htaccess file.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| pluck-cms | pluck | <= 4.7.7 | — |
| pluck-cms | pluck | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect multipart file upload requests to /data/inc/images.php where the filename is '.htaccess' but the declared Content-Type is 'image/jpeg' — this is the core bypass technique. ↗
- →Alert on HTTP requests to admin.php?action=images that result in a .htaccess file being written to the images directory, followed by subsequent requests to .jpg files in that directory (PHP execution via Apache handler override). ↗
- →Monitor web server logs for POST requests to admin.php?action=images uploading a file with Content-Type: image/jpeg but a filename of .htaccess. ↗
- →Detect the string 'AddType application/x-httpd-php' appearing in uploaded files within the Pluck images directory, indicating an Apache handler override for PHP execution via non-.php extensions. ↗
- ·The exploit requires authentication to the Pluck admin panel before the malicious upload can be performed; unauthenticated exploitation is not possible. ↗
- ·The .htaccess-based PHP execution technique only works on Apache web servers where AllowOverride is enabled for the images directory; other web servers (e.g., nginx) are not affected by this specific bypass. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2018-06-05
Published