| عنوان | DedeCMS DedeCMS Content Management System V5.7.88 SQL Injection |
|---|
| الوصف | A Medium-severity SQL Injection vulnerability exists in the carbuyaction.php component of DedeCMS, affecting versions: V5.7.88. The vulnerability is located in the shopping cart checkout function, where user-controlled shipping information parameters (postname, address, email, des) are only processed by the RemoveXSS() and cn_substrR() functions. The RemoveXSS() function (located in include/helpers/filter.helper.php line 69) is designed to filter XSS attack vectors (e.g., control characters) and does not escape SQL special characters. These unescaped parameters are directly concatenated into INSERT SQL statements for the #@__shops_userinfo table at lines 190-192. Additionally, the $val['title'] (product title) parameter in the INSERT statement for the #@__shops_products table (lines 187-188) is also not subject to SQL escaping.
Example payloads (POST request, any of the following parameters):
1. Using postname parameter:
POST /plus/carbuyaction.php
Parameter: postname=test' UNION SELECT 1,2,admin,pwd FROM dede_admin-- -
2. Using des parameter:
POST /plus/carbuyaction.php
Parameter: des=test' UNION SELECT 1,2,admin,pwd FROM dede_admin-- -
Successful exploitation allows unauthenticated remote attackers to execute arbitrary SQL queries, extract sensitive data (including administrator credentials), and manipulate database records related to orders, user information, and products. This vulnerability is fully exploitable as the application fails to implement proper SQL escaping for user-controlled input in the checkout process.
Vulnerability code location: carbuyaction.php lines 178-193, where user-controlled parameters are directly concatenated into INSERT SQL queries without proper SQL protection. |
|---|
| المستخدم | R21Z20 (UID 97129) |
|---|
| ارسال | 14/05/2026 07:25 AM (23 أيام منذ) |
|---|
| الاعتدال | 02/06/2026 01:30 PM (19 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 367915 [DedeCMS 5.7.88 /plus/carbuyaction.php RemoveXSS postname/des حقن SQL] |
|---|
| النقاط | 17 |
|---|