CVE-2023-37839 – This vulnerability allows attackers to upload a... (How to Fix)

Q: What is the severity of CVE-2023-37839?

CVE-2023-37839 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows attackers to upload arbitrary PHP files to DedeCMS v5.7.109 through the /dede/file_manage_control.php endpoint, leading to remote code execution. Attackers can gain full control of affected systems, potentially compromising websites and underlying servers. All DedeCMS v5.7.109 installations with the vulnerable file accessible are affected.

📋 TL;DR

This vulnerability allows attackers to upload arbitrary PHP files to DedeCMS v5.7.109 through the /dede/file_manage_control.php endpoint, leading to remote code execution. Attackers can gain full control of affected systems, potentially compromising websites and underlying servers. All DedeCMS v5.7.109 installations with the vulnerable file accessible are affected.

💻 Affected Systems

Products:

DedeCMS

Versions: v5.7.109

Operating Systems: All platforms running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Requires the /dede/file_manage_control.php file to be accessible, which is part of default installation.

📦 What is this software?

Dedecms by Dedecms

View all CVEs affecting Dedecms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining root/admin access, data theft, ransomware deployment, and persistent backdoor installation.

🟠

Likely Case

Website defacement, data exfiltration, malware distribution, and use as pivot point for lateral movement in network.

🟢

If Mitigated

Attack blocked at web application firewall level with file upload restrictions preventing PHP execution.

🌐 Internet-Facing: HIGH - Directly exploitable via web interface without authentication in default configurations.

🏢 Internal Only: MEDIUM - Requires access to admin panel or internal network, but still critical if exploited.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple file upload exploit with publicly available proof-of-concept code. No authentication required in vulnerable configurations.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v5.7.110 or later

Vendor Advisory: https://www.dedecms.com/ (check for security updates)

Restart Required: No

Instructions:

1. Backup current installation. 2. Download latest DedeCMS version from official site. 3. Replace affected files, particularly /dede/file_manage_control.php. 4. Verify file permissions and remove any suspicious uploaded files.

🔧 Temporary Workarounds

Restrict file upload directory

all

Prevent PHP execution in upload directories via .htaccess or web server configuration

# Apache .htaccess
<FilesMatch "\.(php|php5|phtml)$">
    Order Allow,Deny
    Deny from all
</FilesMatch>
# Nginx location block
location ~* \.php$ {
    deny all;
}

Remove vulnerable file

linux

Delete or rename the vulnerable file_manage_control.php if not needed

rm /path/to/dede/file_manage_control.php
mv /path/to/dede/file_manage_control.php /path/to/dede/file_manage_control.php.bak

🧯 If You Can't Patch

Implement strict WAF rules blocking file uploads to /dede/file_manage_control.php
Restrict access to /dede/ directory via IP whitelisting or authentication

🔍 How to Verify

Check if Vulnerable:

Check if /dede/file_manage_control.php exists and is accessible. Attempt to upload a test file with PHP extension.

Check Version:

Check DedeCMS version in /data/common.inc.php or admin panel

Verify Fix Applied:

Verify file_manage_control.php has been updated or removed. Test that PHP file uploads are blocked.

📡 Detection & Monitoring

Log Indicators:

POST requests to /dede/file_manage_control.php with file uploads
Unexpected PHP file creation in upload directories
Web server error logs showing blocked PHP execution attempts

Network Indicators:

Unusual outbound connections from web server
HTTP requests with suspicious file upload patterns

SIEM Query:

source="web_logs" AND uri="/dede/file_manage_control.php" AND method="POST" AND (file_extension="php" OR file_extension="phtml")

📊 Metadata

CVE ID: CVE-2023-37839

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-434

Published: July 13, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/yezere/src/blob/main/Dedecms%20v5.7.109%20Background%20Command%20Execution%20Vulnerability.md Exploit,Third Party Advisory
https://github.com/yezere/src/blob/main/Dedecms%20v5.7.109%20Background%20Command%20Execution%20Vulnerability.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-37839, you might also want to check these: