CVE-2024-30855: Silent Admin Takeover Risk in DedeCMS via CSRF

Aegiron 10 mins0

Executive Summary (At a Glance)

  • CVE ID: CVE-2024-30855
  • Product: DedeCMS
  • Affected Version: v5.7
  • Vulnerability Type: Cross-Site Request Forgery (CSRF)
  • Affected Component: /src/dede/makehtml_list_action.php
  • Authentication Required: Yes (victim must be logged in)
  • User Interaction Required: Yes
  • CVSS Score: Not officially assigned
  • Practical Severity: High (admin-level action abuse possible)
  • Exploit Availability: No fully weaponized public exploit observed, but exploitation is trivial once parameters are known
  • Remote Exploitable: Yes
  • Impact Scope: Integrity, Availability (and potentially Confidentiality if chained)

Vulnerability Overview

CVE-2024-30855 is a Cross-Site Request Forgery (CSRF) vulnerability affecting DedeCMS v5.7, specifically the administrative endpoint:

/src/dede/makehtml_list_action.php

This endpoint performs backend operations related to HTML generation and content processing. The core issue is that the endpoint does not validate CSRF tokens or reliably verify request origin, allowing state-changing actions to be executed solely based on an authenticated session cookie.

If an administrator is logged into DedeCMS and is tricked into visiting a malicious webpage, that page can silently force the admin’s browser to send a forged request to this endpoint. The CMS will treat the request as legitimate and execute it with admin privileges.

Why This Is Dangerous

CSRF vulnerabilities are often underestimated, but in admin panels they are extremely dangerous because:

  • Admin sessions usually have full CMS privileges
  • Browsers automatically attach session cookies
  • No malware or exploit kit is required
  • The attack leaves very little forensic evidence
  • It can be chained with other vulnerabilities

In this case, the vulnerable endpoint controls content generation and backend actions, which historically have been abused to:

  • Regenerate malicious pages
  • Trigger unexpected backend workflows
  • Assist in privilege escalation or web shell persistence when chained with file-write or template issues

Technical Root Cause

The vulnerability exists because:

  1. The endpoint accepts state-changing HTTP requests
  2. It relies solely on session cookies for authentication
  3. There is no anti-CSRF token validation
  4. There is no strict Origin or Referer enforcement
  5. Requests can be triggered via standard browser behavior

This violates basic secure-by-design principles for administrative actions.

Exploitation Flow

Preconditions

  • Target site runs DedeCMS v5.7
  • Victim is logged into the admin panel
  • Victim visits an attacker-controlled webpage

Attack Steps

  1. Attacker creates a malicious webpage containing a hidden form or auto-executing request.
  2. The page submits a POST (or GET, depending on configuration) request to: /src/dede/makehtml_list_action.php
  3. The victim’s browser automatically includes valid admin session cookies.
  4. The CMS backend accepts the request as legitimate.
  5. The action is executed with full admin privileges.

No alerts, pop-ups, or confirmations are shown to the victim.

Example CSRF Payloads (Illustrative)

Auto-Submitting POST Request

<html>
<body onload="document.forms[0].submit()">
  <form action="https://target-site.com/src/dede/makehtml_list_action.php" method="POST">
    <input type="hidden" name="action" value="makehtml">
    <input type="hidden" name="typeid" value="1">
  </form>
</body>
</html>

Image-Based Trigger (If GET Is Accepted)

<img src="https://target-site.com/src/dede/makehtml_list_action.php?action=makehtml&typeid=1">

The exact parameters depend on how the CMS is configured, but once known, exploitation is trivial.

Impact Assessment

Direct Impact

  • Unauthorized admin-level actions
  • Silent backend manipulation
  • Forced content regeneration

Indirect / Chained Impact

  • Persistent malicious content
  • Facilitation of file-write or template abuse
  • Reduced trust in audit logs (actions appear “legitimate”)

Business Risk

  • Website defacement
  • SEO poisoning
  • Regulatory exposure if content integrity is compromised
  • Loss of administrative control

MITRE ATT&CK & CWE Mapping

CWE

  • CWE-352 – Cross-Site Request Forgery (CSRF)

MITRE ATT&CK (Relevant Techniques)

  • T1071 – Application Layer Protocol (HTTP abuse)
  • T1190 – Exploit Public-Facing Application
  • T1204.001 – User Execution (malicious link)

Detection Strategy

Recommended Log Sources

  • Web server access logs (Apache / Nginx / IIS)
  • CMS administrative action logs
  • WAF / Reverse proxy logs
  • SIEM HTTP telemetry
  • Endpoint browser telemetry (for admin machines)

Indicators of Suspicious Activity

  • POST requests to makehtml_list_action.php with external referrers
  • Admin actions occurring without corresponding UI activity
  • Requests from unexpected IPs during active admin sessions
  • Repeated backend generation requests in short time windows
  • Admin complaints of “things changing on their own”

KQL Detection Rules (Microsoft Sentinel / Defender)

Suspicious POST With External Referrer

CommonSecurityLog
| where RequestURL contains "/src/dede/makehtml_list_action.php"
| where RequestMethod == "POST"
| where isnotempty(Referrer)
| where Referrer !contains "yourdomain.com"
| project TimeGenerated, SourceIP, RequestURL, Referrer, UserAgent

High-Frequency Admin Action Trigger

CommonSecurityLog
| where RequestURL contains "makehtml_list_action.php"
| summarize count() by SourceIP, bin(TimeGenerated, 5m)
| where count_ > 10

Splunk Detection Queries

External Referrer CSRF Pattern

index=web_logs uri_path="/src/dede/makehtml_list_action.php" method=POST
| where NOT like(referer,"%yourdomain.com%")
| stats count by src_ip, user_agent, referer

Unexpected Admin Activity

index=web_logs uri_path="/src/dede/makehtml_list_action.php"
| timechart span=5m count by src_ip

WAF Rule Logic

  • Block or challenge POST requests to /src/dede/makehtml_list_action.php if:
    • Origin or Referer is missing or external
    • CSRF token parameter is missing
    • Request frequency exceeds normal baseline

Mitigation & Remediation

Immediate Mitigations

  • Restrict /src/dede/ access by IP or VPN
  • Place admin panel behind additional authentication
  • Add WAF rules for CSRF behavior
  • Force logout of all admin sessions

Long-Term Fix

  • Apply official DedeCMS patch when released
  • Implement CSRF tokens for all admin endpoints
  • Enforce strict Origin/Referer validation
  • Reduce admin session lifetime
  • Enable detailed admin activity logging

Official Patch Status

At the time of analysis:

  • No official vendor patch page or advisory has been published
  • No confirmed fixed version is publicly documented

Until an official patch is released, this vulnerability should be treated as unpatched and mitigated at the network and application layer.

Final Takeaway

Although technically “just” a CSRF issue, CVE-2024-30855 enables silent admin-level abuse and is especially dangerous in real-world environments where admins browse the web while logged in. The lack of CSRF protection on a backend processing endpoint makes exploitation low-effort and high-impact.

This vulnerability should be prioritized for monitoring, mitigation, and patching.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.