CVE-2024-7906 in DedeBIZ
Summary
by MITRE • 08/18/2024
A vulnerability classified as critical was found in DedeBIZ 6.3.0. This vulnerability affects the function get_mime_type of the file /admin/dialog/select_images_post.php of the component Attachment Settings. The manipulation of the argument upload leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 09/27/2024
This critical vulnerability in DedeBIZ 6.3.0 represents a severe unrestricted file upload flaw that directly impacts the attachment handling functionality of the content management system. The vulnerability resides within the get_mime_type function located in the /admin/dialog/select_images_post.php file, specifically in the Attachment Settings component where the upload argument processing fails to properly validate file types and content. The flaw allows attackers to bypass security controls and upload malicious files without proper validation, creating a significant attack surface for remote exploitation.
The technical implementation of this vulnerability stems from inadequate input sanitization and validation within the file upload mechanism. When users interact with the attachment settings functionality, the system fails to properly verify the MIME type of uploaded files against a whitelist of allowed extensions and content types. This oversight enables attackers to upload files with potentially dangerous extensions such as .php, .asp, or .jsp that could execute arbitrary code on the server. The vulnerability is classified as remote due to the public accessibility of the affected endpoint, making it particularly dangerous as it requires no local access or authentication to exploit.
The operational impact of this vulnerability extends beyond simple unauthorized file uploads, creating potential pathways for complete system compromise. An attacker could upload a web shell or malicious script that would allow remote code execution, data exfiltration, or further lateral movement within the network. This type of vulnerability directly maps to CWE-434 Unrestricted Upload of File with Dangerous Type, which is categorized under the CWE top 25 most dangerous software weaknesses. The vulnerability also aligns with ATT&CK technique T1190 Exploit Public-Facing Application, as it targets a publicly accessible administrative interface component.
The disclosure of this exploit without vendor response creates a particularly concerning scenario where organizations remain exposed to known threats without official patches or mitigations. Security professionals should immediately implement defensive measures including network segmentation of administrative interfaces, implementing strict file type validation at multiple layers, and monitoring for suspicious file upload activities. Organizations using DedeBIZ 6.3.0 should consider immediate temporary workarounds such as disabling the affected attachment functionality or implementing additional validation layers before a proper patch can be deployed. The lack of vendor communication compounds the risk, as organizations cannot verify if the vulnerability has been addressed in subsequent releases or if additional undisclosed vulnerabilities may exist within the same codebase.