DedeCMS SQL Injection Vulnerability in freelist_main.php Prior to 5.7.118

A critical SQL injection vulnerability has been identified in DedeCMS versions prior to 5.7.118. The issue resides in the freelist_main.php file within the administrator backend. The vulnerability is caused by inadequate input validation of the 'orderby' parameter, which is directly appended to SQL queries without proper sanitization or validation. This flaw allows authenticated administrators to execute arbitrary SQL commands using time-based blind SQL injection techniques, extracting sensitive information from the database, such as administrator credentials and CMS content. The vulnerability is exacerbated by a misconfiguration that disables SQL safety checks, leaving the application open to exploitation.

Impact

Exploitation of this vulnerability allows for complete database access through arbitrary SQL command execution. It enables the extraction of administrator password hashes, which can be cracked offline for full administrative access to the CMS. The vulnerability also poses a risk of website defacement and allows for persistence by modifying database content.

Reproduction

To reproduce this vulnerability, an authenticated administrator must send a request to the '/dede/freelist_main.php' file with a crafted 'orderby' parameter that includes SQL injection payloads. The injection can be verified by observing a delay in the response time, indicating that the injected payload was executed. Once the vulnerability is confirmed, the administrator can use time-based blind SQL injection techniques to extract sensitive data from the database, such as password hashes from the 'dede_admin' table.

Remediation

To address this vulnerability, DedeCMS users should implement whitelist validation for the 'orderby' parameter, re-enable SQL safety checks in the 'config.php' file, and change all administrator passwords. Additionally, a review of database logs for suspicious queries and an audit of other files for similar vulnerabilities is recommended.