| Title | dedecms V5.7.118 Command Injection |
|---|
| Description |
Remote Code Execution via RunPHP Tag Attribute: A critical vulnerability exists in the DedeCMS template tag parsing system that allows authenticated administrators to execute arbitrary PHP code through the `runphp` tag attribute. This vulnerability bypasses content filtering mechanisms using PHP callback functions.
The DedeCMS template system supports a `runphp='yes'` attribute that enables PHP code execution within template tags. Although content filtering is implemented to prevent dangerous function calls, the filter can be bypassed using PHP's usort() callback mechanism, allowing attackers to execute arbitrary system commands.
Vulnerability Functionality:
- Direct Code Execution: Uses eval() to execute PHP code within template tags
- Content Filter Bypass: PHP callback functions circumvent variable function detection
- String Concatenation: Bypasses keyword blacklist by splitting dangerous function names
- One-Step Exploitation: No file upload required, direct command execution through tag testing |
|---|
| Source | ⚠️ https://note-hxlab.wetolink.com/share/4D2GTz4wWGpV |
|---|
| User | yu22x (UID 34832) |
|---|
| Submission | 12/17/2025 05:14 (4 months ago) |
|---|
| Moderation | 12/21/2025 13:36 (4 days later) |
|---|
| Status | Duplicate |
|---|
| VulDB entry | 313331 [DedeCMS up to 5.7.2 Template dedetag.class.php notes command injection] |
|---|
| Points | 0 |
|---|