| 标题 | DedeCMS DedeCMS Content Management System v5.7.88 Server-Side Request Forgery (SSRF) / Open Redirect |
|---|
| 描述 | A Server-Side Request Forgery (SSRF) and Open Redirect vulnerability exists in the `download.php` component of DedeCMS. The vulnerability occurs in the `open=1` redirection mode, where the `link` parameter is decoded via `base64_decode(urldecode($link))` and validated only by a weak prefix regular expression match against `$cfg_basehost`. This check can be bypassed using techniques such as the `@` symbol (e.g., `http://[email protected]`) or subdomain spoofing (e.g., `http://legit.com.evil.com`). Additionally, the whitelist check fails because the `$linkinfo` variable is undefined, allowing unauthenticated remote attackers to construct malicious URLs.
Example payloads:
1. SSRF (probe internal service):
`GET /plus/download.php?open=1&link=aHR0cDovLzEyNy4wLjAuMQ==`
(Base64-decoded: `http://127.0.0.1`, triggers request to internal loopback address)
2. Open Redirect (phishing):
`GET /plus/download.php?open=1&link=aHR0cDovLzMuY29tQGV2aWwuY29t`
(Base64-decoded: `http://[email protected]`, redirects to evil.com)
Successful exploitation allows attackers to perform internal network service discovery, port scanning, or phishing attacks, which may lead to further compromise of the server and its internal infrastructure. |
|---|
| 用户 | R21Z20 (UID 97129) |
|---|
| 提交 | 2026-05-14 07時18分 (21 日前) |
|---|
| 管理 | 2026-06-01 19時55分 (19 days later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 367676 [DedeCMS 5.7.88 download.php?open=1 base64_decode 链接 权限提升] |
|---|
| 积分 | 17 |
|---|