DedeCMS has been a popular content management system among Chinese web administrators for years. But in August 2023, security researchers flagged a serious issue—CVE-2023-40875, a set of Cross-Site Scripting (XSS) vulnerabilities, was discovered in versions up to and including 5.7.110. These bugs—found in the /dede/vote_edit.php script—are easy to exploit and could lead to significant risks for website owners.

In this deep dive, I’ll explain what happened, show you code samples, walk you through how this flaw really works, and share the best ways to protect yourself.

What Is CVE-2023-40875?

CVE-2023-40875 is the index assigned to a set of stored and reflected XSS vulnerabilities in DedeCMS. The bugs are found in the handling of the parameters votename and votenote in the vote_edit.php file within the /dede/ admin directory.

Anyone with access to this page—or in some configurations, even regular users—can inject malicious JavaScript into form fields. When someone later views the manipulated content in an admin panel or on a website, the script executes in their browser. This allows attackers to steal cookies, gain control of admin accounts, or launch phishing attacks.

How The Vulnerability Works

Suppose you’re adding or editing a poll (vote) through the backend management page /dede/vote_edit.php. The form collects a votename (poll title) and votenote (simple description or instructions).

Problem: These fields aren’t properly sanitized before being printed back out to users.

Here’s a rough sketch of how DedeCMS handles input

// ...in /dede/vote_edit.php

// Get the name and note from user input
$votename = $_POST['votename'];
$votenote = $_POST['votenote'];

// Insert or update into the database (no XSS filter)
$sql = "UPDATE dede_vote SET votename='$votename', votenote='$votenote' WHERE id='$voteid'";
$dsql->ExecuteNoneQuery($sql);

// Later, when displaying the vote:
echo "<h2>$votename</h2>";
echo "<div>$votenote</div>";

Let’s say an attacker submits this as the poll name (votename)

<script>alert('XSS');</script>

Later, when an admin views the votes, that JavaScript runs in their browser. Replace alert with code that sends cookies or does more harm, and attackers have a beachhead.

/dede/vote_edit.php?dopost=add

`

`

4. On save, this value is now in the database. Any time an admin or user views the poll, their browser will silently make a request to your.exploit.com—leaking their authentication cookie.

Important: Never run these tests on live or production systems. Only use for educational or white-hat testing with explicit permission.

Screenshot (for illustration)

<form action="vote_edit.php?dopost=save" method="POST">
  <input name="votename" value="<script>alert('XSS')</script>">
  <input name="votenote" value="">
  ...
</form>

- CVE-2023-40875 at NVD
- GitHub Disclosure (CN) (search for DedeCMS exposures)
- DedeCMS Official Site

Malware Delivery: Attackers might redirect users to dangerous sites.

If you run DedeCMS and have not patched or filtered your install, your entire site is at risk. And while most targets are Chinese-language sites, English-speaking admins using DedeCMS aren’t safe.

Upgrade ASAP.

Look for updates or patches from DedeCMS’s official site or your distro. Do *not* use version ≤5.7.110.

Manual Mitigation:

If you must use the vulnerable version, sanitize output with PHP’s htmlspecialchars() everywhere user input is echoed:

`php

echo "

" . htmlspecialchars($votename, ENT_QUOTES, 'UTF-8') . "

";
echo "" . htmlspecialchars($votenote, ENT_QUOTES, 'UTF-8') . "";

Limit Panel Access:

Restrict access to /dede/ with strong passwords, IP whitelisting, and two-factor authentication.

Conclusion

CVE-2023-40875 proves that even widely-used open source CMSs can harbor dangerous flaws—sometimes for years. If you use DedeCMS (version 5.7.110 or older), update now or take immediate precautions.

If you’re interested in web security, always keep your platforms up-to-date and test input/output handling for these classic gotchas.

Stay safe, keep coding, and never trust user input!

*Original post, exclusive to this conversation. For detailed updates, follow official DedeCMS channels and subscribe to CNVD/CVE bulletins.*

Timeline

Published on: 08/24/2023 15:15:07 UTC
Last modified on: 08/25/2023 13:20:02 UTC