| Title | DESHANG DSCMS <=3.1.2 Pre-Authentication Arbitrary File Download |
|---|
| Description | The DSCMS System version 3.1.2 and below is susceptible to a Pre-Authentication Arbitrary File Download vulnerability. This vulnerability arises from the 'public/install.php' file, where an attacker can manipulate the 'action' cookie to bypass installation checks and use the 'step' parameter to connect to an arbitrary MySQL server. When combined with the 'local infile' feature in PHP versions 7.1 and below, this can allow a malicious actor to load files from their rogue MySQL server, enabling them to read Phar files and potentially trigger deserialization, leading to further exploitation. |
|---|
| Source | ⚠️ https://note.zhaoj.in/share/xYQMsARg83ui |
|---|
| User | glzjin (UID 59815) |
|---|
| Submission | 01/09/2024 02:59 (2 years ago) |
|---|
| Moderation | 01/11/2024 11:23 (2 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 250434 [DeShang DSCMS up to 3.1.2/7.1 public/install.php access control] |
|---|
| Points | 20 |
|---|