Invia #829404: DedeCMS DedeCMS Content Management System v5.7.88 Server-Side Request Forgery (SSRF) / Open Redirectinformazioni

TitoloDedeCMS DedeCMS Content Management System v5.7.88 Server-Side Request Forgery (SSRF) / Open Redirect
DescrizioneA Server-Side Request Forgery (SSRF) and Open Redirect vulnerability exists in the `download.php` component of DedeCMS. The vulnerability occurs in the `open=1` redirection mode, where the `link` parameter is decoded via `base64_decode(urldecode($link))` and validated only by a weak prefix regular expression match against `$cfg_basehost`. This check can be bypassed using techniques such as the `@` symbol (e.g., `http://[email protected]`) or subdomain spoofing (e.g., `http://legit.com.evil.com`). Additionally, the whitelist check fails because the `$linkinfo` variable is undefined, allowing unauthenticated remote attackers to construct malicious URLs. Example payloads: 1. SSRF (probe internal service): `GET /plus/download.php?open=1&link=aHR0cDovLzEyNy4wLjAuMQ==` (Base64-decoded: `http://127.0.0.1`, triggers request to internal loopback address) 2. Open Redirect (phishing): `GET /plus/download.php?open=1&link=aHR0cDovLzMuY29tQGV2aWwuY29t` (Base64-decoded: `http://[email protected]`, redirects to evil.com) Successful exploitation allows attackers to perform internal network service discovery, port scanning, or phishing attacks, which may lead to further compromise of the server and its internal infrastructure.
Utente
 R21Z20 (UID 97129)
Sottomissione14/05/2026 07:18 (2 mesi fa)
Moderazione01/06/2026 19:55 (19 days later)
StatoAccettato
Voce VulDB367676 [DedeCMS 5.7.88 download.php?open=1 base64_decode Link escalationi di privilegi]
Punti17

Do you know our Splunk app?

Download it now for free!