CVE-2019-6289

Name of the Vulnerable Software and Affected Versions DedeCMS version V57 UTF8 SP2

Description The issue allows remote attackers to execute arbitrary PHP code by uploading a file with a safe file extension and then renaming it with a mixed-case variation of the .php extension. For example, using the filename 1.pHP.

Recommendations For DedeCMS version V57 UTF8 SP2, consider restricting file uploads to prevent the execution of arbitrary PHP code until a patch is available. As a temporary workaround, restrict access to the uploads/include/dialog/select soft.php file to minimize the risk of exploitation. Avoid allowing file renames with mixed-case variations of the .php extension in the affected upload functionality.