SRC-2021-0022 : Dedecms ShowMsg Template Injection Remote Code Execution Vulnerability


CVSS Score: 9.8, (/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Vendors: Dedecms

Affected Products: Dedecms v5.8.1 pre-release

Vulnerability Details:

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Dedecms. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the processing of the rendering templates. The issue results from the lack of proper validation of a user-supplied HTTP referer header when processing error messages. An attacker can leverage this vulnerability to execute code in the context of the web server.

Vendor Response:

Dedecms has issued an update to correct this vulnerability. Technical details can be found at:

Disclosure Timeline:

  • 2021-09-23 – Sent to Dedecms

  • 2021-09-25 – Silent patch in commit 8c1f1a3b66b08b7c093cf7a3102d80e23f30d4b1

  • 2021-09-30 – Uncoordinated public release of advisory

Proof of Concept: curl --referer '<?php "system"($c);die;/*' 'http://target.tld/plus/flink.php?dopost=save&c=id'

Credit: This vulnerability was discovered by Steven Seeley (mr_me) of Qihoo 360 Vulcan Team