DedeCMS 7.5 SP2 – Persistent Cross-Site Scripting – Digitalmunition




Exploit/Advisories 1586856090_spider-orange.png

Published on April 15th, 2020 📆 | 4302 Views ⚑

0

DedeCMS 7.5 SP2 – Persistent Cross-Site Scripting

# Title: DedeCMS 7.5 SP2 - Persistent Cross-Site Scripting
# Author: Vulnerability Laboratory
# Date: 2020-04-15
# Vendor Link: http://www.dedecms.com
# Software Link: http://www.dedecms.com/products/dedecms/downloads/
# CVE: N/A

Document Title:
===============
DedeCMS v7.5 SP2 - Multiple Persistent Web Vulnerabilities


References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2195


Release Date:
=============
2020-04-09


Vulnerability Laboratory ID (VL-ID):
====================================
2195


Common Vulnerability Scoring System:
====================================
4.3


Vulnerability Class:
====================
Cross Site Scripting - Persistent


Current Estimated Price:
========================
500€ - 1.000€


Product & Service Introduction:
===============================
Welcome to use the most professional PHP website content management
system in China-Zhimeng content management system,
he will be your first choice for easy website building. Adopt XML name
space style core templates: all templates are
saved in file form, which provides great convenience for users to design
templates and website upgrade transfers.
The robust template tags provide strong support for webmasters to DIY
their own websites. High-efficiency tag caching
mechanism: Allows the caching of similar tags. When generating HTML, it
helps to improve the reaction speed of the
system and reduce the resources consumed by the system.

(Copy of the homepage: http://www.dedecms.com/products/dedecms/downloads/)


Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered multiple
persistent cross site vulnerabilities in
the official DedeCMS v5.7 SP2 (UTF8) web-application.


Affected Product(s):
====================
DesDev Inc.
Product: DedeCMS - Content Management System  v5.7 SP2


Vulnerability Disclosure Timeline:
==================================
2020-04-09: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Authentication Type:
====================
Restricted authentication (user/moderator) - User privileges


User Interaction:
=================
Low User Interaction


Disclosure Type:
================
Independent Security Research


Technical Details & Description:
================================
Multiple persistent cross site scripting vulnerabilities has been
discovered in the official DedeCMS v5.7 SP2 UTF8  web-application.
The vulnerability allows remote attackers to inject own malicious script
codes with persistent attack vector to compromise browser to
web-application requests from the application-side.

The persistent script code inject web vulnerabilities are located in the
`activepath`, `keyword`, `tag`, `fmdo=x&filename`, `CKEditor`
and `CKEditorFuncNum`parameters of the  `file_pic_view.php`,
`file_manage_view.php`, `tags_main.php`, `select_media.php`,
`media_main.php` files.
The attack vector of the vulnerability is non-persistent and the request
method to inject is POST. Successful exploitation of the vulnerability
results in session hijacking, persistent phishing attacks, persistent
external redirects to malicious source and persistent manipulation
of affected or connected application modules.

Request Method(s):
[+] POST

Vulnerable File(s):
[+] file_pic_view.php
[+] file_manage_view.php
[+] tags_main.php
[+] select_media.php
[+] media_main.php

Vulnerable Parameter(s):
[+] tag
[+] keyword
[+] activepath
[+] fmdo=move&filename & fmdo=edit&filename
[+] CKEditor & CKEditor=body&CKEditorFuncNum


Proof of Concept (PoC):
=======================
The web vulnerabilities can be exploited by remote attackers with
privileged user account and with low user interaction.
For security demonstration or to reproduce the vulnerability follow the
provided information and steps below to continue.


Request: Examples
https://test23.localhost:8080/dede/file_manage_view.php?fmdo=move&filename=test&activepath=%2Fuploads
https://test23.localhost:8080/dede/tags_main.php?tag=&orderby=total&orderway=desc
https://test23.localhost:8080/include/dialog/select_media.php?CKEditor=body&CKEditorFuncNum=2&langCode=en


PoC: Payload
".>""%20
>"%20< "
>">


Source link

Tagged with:



Leave a Reply

Your email address will not be published. Required fields are marked *


loading...