| Название | DedeCMS DedeCMS Content Management System v5.7.88 Server-Side Request Forgery (SSRF) / Open Redirect |
|---|
| Описание | A Server-Side Request Forgery (SSRF) and Open Redirect vulnerability exists in the `download.php` component of DedeCMS. The vulnerability occurs in the `open=1` redirection mode, where the `link` parameter is decoded via `base64_decode(urldecode($link))` and validated only by a weak prefix regular expression match against `$cfg_basehost`. This check can be bypassed using techniques such as the `@` symbol (e.g., `http://[email protected]`) or subdomain spoofing (e.g., `http://legit.com.evil.com`). Additionally, the whitelist check fails because the `$linkinfo` variable is undefined, allowing unauthenticated remote attackers to construct malicious URLs.
Example payloads:
1. SSRF (probe internal service):
`GET /plus/download.php?open=1&link=aHR0cDovLzEyNy4wLjAuMQ==`
(Base64-decoded: `http://127.0.0.1`, triggers request to internal loopback address)
2. Open Redirect (phishing):
`GET /plus/download.php?open=1&link=aHR0cDovLzMuY29tQGV2aWwuY29t`
(Base64-decoded: `http://[email protected]`, redirects to evil.com)
Successful exploitation allows attackers to perform internal network service discovery, port scanning, or phishing attacks, which may lead to further compromise of the server and its internal infrastructure. |
|---|
| Пользователь | R21Z20 (UID 97129) |
|---|
| Представление | 14.05.2026 07:18 (21 дни назад) |
|---|
| Модерация | 01.06.2026 19:55 (19 days later) |
|---|
| Статус | принято |
|---|
| Запись VulDB | 367676 [DedeCMS 5.7.88 download.php?open=1 base64_decode Ссылка эскалация привилегий] |
|---|
| Баллы | 17 |
|---|