cbcvebase.
CVE-2018-11736
published 2018-06-05

CVE-2018-11736: An issue was discovered in Pluck before 4.7.7-dev2. /data/inc/images.php allows remote attackers to upload and execute arbitrary PHP code by using the…

PriorityP270critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
8.57%
94.4th percentile
An issue was discovered in Pluck before 4.7.7-dev2. /data/inc/images.php allows remote attackers to upload and execute arbitrary PHP code by using the image/jpeg content type for a .htaccess file.

Affected

2 ranges
VendorProductVersion rangeFixed in
pluck-cmspluck<= 4.7.7
pluck-cmspluck

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://pluck1/admin.php?action=images
path/data/inc/images.php
filename.htaccess
commandAddType application/x-httpd-php .jpg
  • Detect multipart file upload requests to /data/inc/images.php where the filename is '.htaccess' but the declared Content-Type is 'image/jpeg' — this is the core bypass technique.
  • Alert on HTTP requests to admin.php?action=images that result in a .htaccess file being written to the images directory, followed by subsequent requests to .jpg files in that directory (PHP execution via Apache handler override).
  • Monitor web server logs for POST requests to admin.php?action=images uploading a file with Content-Type: image/jpeg but a filename of .htaccess.
  • Detect the string 'AddType application/x-httpd-php' appearing in uploaded files within the Pluck images directory, indicating an Apache handler override for PHP execution via non-.php extensions.
  • ·The exploit requires authentication to the Pluck admin panel before the malicious upload can be performed; unauthenticated exploitation is not possible.
  • ·The .htaccess-based PHP execution technique only works on Apache web servers where AllowOverride is enabled for the images directory; other web servers (e.g., nginx) are not affected by this specific bypass.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.