| 제목 | DedeCMS DedeCMS Content Management System v5.7.88 Server-Side Request Forgery (SSRF) / Open Redirect |
|---|
| 설명 | A Server-Side Request Forgery (SSRF) and Open Redirect vulnerability exists in the `download.php` component of DedeCMS. The vulnerability occurs in the `open=1` redirection mode, where the `link` parameter is decoded via `base64_decode(urldecode($link))` and validated only by a weak prefix regular expression match against `$cfg_basehost`. This check can be bypassed using techniques such as the `@` symbol (e.g., `http://[email protected]`) or subdomain spoofing (e.g., `http://legit.com.evil.com`). Additionally, the whitelist check fails because the `$linkinfo` variable is undefined, allowing unauthenticated remote attackers to construct malicious URLs.
Example payloads:
1. SSRF (probe internal service):
`GET /plus/download.php?open=1&link=aHR0cDovLzEyNy4wLjAuMQ==`
(Base64-decoded: `http://127.0.0.1`, triggers request to internal loopback address)
2. Open Redirect (phishing):
`GET /plus/download.php?open=1&link=aHR0cDovLzMuY29tQGV2aWwuY29t`
(Base64-decoded: `http://[email protected]`, redirects to evil.com)
Successful exploitation allows attackers to perform internal network service discovery, port scanning, or phishing attacks, which may lead to further compromise of the server and its internal infrastructure. |
|---|
| 사용자 | R21Z20 (UID 97129) |
|---|
| 제출 | 2026. 05. 14. AM 07:18 (22 날 ago) |
|---|
| 모더레이션 | 2026. 06. 01. PM 07:55 (19 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 367676 [DedeCMS 5.7.88 download.php?open=1 base64_decode 링크 권한 상승] |
|---|
| 포인트들 | 17 |
|---|