CVE-2024-35375
📋 TL;DR
This vulnerability allows unauthenticated attackers to upload arbitrary files to DedeCMS backend servers via the media_add.php page. Attackers can achieve remote code execution by uploading malicious files like PHP shells. All DedeCMS installations running version 5.7.114 are affected.
💻 Affected Systems
- DedeCMS
📦 What is this software?
Dedecms by Dedecms
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with remote code execution, data theft, defacement, and lateral movement within the network.
Likely Case
Webshell deployment leading to data exfiltration, defacement, and potential ransomware deployment.
If Mitigated
File upload attempts blocked or logged with no successful exploitation.
🎯 Exploit Status
Multiple public proof-of-concept exploits available showing simple file upload to achieve RCE.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: Not available
Restart Required: No
Instructions:
No official patch available. Consider upgrading to latest version if available or implementing workarounds.
🔧 Temporary Workarounds
Restrict access to media_add.php
allBlock or restrict access to the vulnerable endpoint using web server configuration.
# Apache: Add to .htaccess
<Files "media_add.php">
Order Deny,Allow
Deny from all
</Files>
# Nginx: Add to server block
location ~ /media_add\.php$ {
deny all;
return 403;
}
Implement file upload validation
allAdd server-side validation to restrict uploaded file types to safe extensions only.
# Example PHP validation snippet
$allowed_extensions = ['jpg', 'png', 'gif', 'pdf'];
$file_extension = strtolower(pathinfo($_FILES['file']['name'], PATHINFO_EXTENSION));
if (!in_array($file_extension, $allowed_extensions)) {
die('Invalid file type');
}
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block file uploads to media_add.php
- Disable the media upload functionality entirely if not required
🔍 How to Verify
Check if Vulnerable:
Check if DedeCMS version is 5.7.114 and if media_add.php is accessible without authentication.Check Version:
Check /data/admin/ver.txt or view page source for version information in DedeCMS installation.Verify Fix Applied:
Attempt to upload a test file with dangerous extension (e.g., .php) to media_add.php - should be blocked.📡 Detection & Monitoring
Log Indicators:
- POST requests to /media_add.php with file uploads
- Uploads of files with .php, .jsp, .asp extensions
- Unusual file creation in upload directories
Network Indicators:
- HTTP POST to media_add.php endpoint
- File upload traffic to backend paths
SIEM Query:
source="web_logs" AND uri="/media_add.php" AND method="POST" AND (file_extension="php" OR file_extension="jsp" OR file_extension="asp")