| عنوان | DedeCMS DedeCMS Content Management System v5.7.88 Server-Side Request Forgery (SSRF) / Open Redirect |
|---|
| الوصف | A Server-Side Request Forgery (SSRF) and Open Redirect vulnerability exists in the `download.php` component of DedeCMS. The vulnerability occurs in the `open=1` redirection mode, where the `link` parameter is decoded via `base64_decode(urldecode($link))` and validated only by a weak prefix regular expression match against `$cfg_basehost`. This check can be bypassed using techniques such as the `@` symbol (e.g., `http://[email protected]`) or subdomain spoofing (e.g., `http://legit.com.evil.com`). Additionally, the whitelist check fails because the `$linkinfo` variable is undefined, allowing unauthenticated remote attackers to construct malicious URLs.
Example payloads:
1. SSRF (probe internal service):
`GET /plus/download.php?open=1&link=aHR0cDovLzEyNy4wLjAuMQ==`
(Base64-decoded: `http://127.0.0.1`, triggers request to internal loopback address)
2. Open Redirect (phishing):
`GET /plus/download.php?open=1&link=aHR0cDovLzMuY29tQGV2aWwuY29t`
(Base64-decoded: `http://[email protected]`, redirects to evil.com)
Successful exploitation allows attackers to perform internal network service discovery, port scanning, or phishing attacks, which may lead to further compromise of the server and its internal infrastructure. |
|---|
| المستخدم | R21Z20 (UID 97129) |
|---|
| ارسال | 14/05/2026 07:18 AM (23 أيام منذ) |
|---|
| الاعتدال | 01/06/2026 07:55 PM (19 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 367676 [DedeCMS 5.7.88 download.php?open=1 base64_decode رابط تجاوز الصلاحيات] |
|---|
| النقاط | 17 |
|---|