Bingzero

Name of the Vulnerable Software and Affected Versions: DedeCMS version V5.7 SP2 Description: A file uploading issue exists, allowing attackers to upload and execute arbitrary PHP code. This can be achieved via the /dede/archives do.php?dopost=uploadLitpic endpoint, specifically through the `litpic` parameter, when the "Content-Type: image/jpeg" header is sent with a filename ending in .php that contains PHP code. Recommendations: For DedeCMS version V5.7 SP2, consider restricting access to the /dede/archives do.php endpoint or disabling the file upload functionality until a fix is available. Additionally, as a temporary workaround, restrict the `litpic` parameter to prevent uploading files with PHP code.