Redaxo CMS Mediapool Addon 5.5.1 Arbitrary File Upload

Vulnerability

The Redaxo CMS Mediapool Addon versions 5.5.1 and older contain an arbitrary file upload vulnerability. The addon uses a blacklist filter that blocks file extensions such as php, php4, php5, php6, and php7. However, the filter does not account for obfuscated extensions like php71 or php53, allowing attackers to bypass the restriction. This affects the mediapool functionality within Redaxo CMS [2][3].

Exploitation

An attacker must have an authenticated editor account on the Redaxo CMS. The attacker can log in, navigate to the mediapool page (?page=mediapool/media), and upload a malicious file with an obfuscated extension (e.g., shell.php71). The file is accepted because the blacklist does not recognize the obfuscated extension. The attacker can then access the uploaded file to execute arbitrary code [3].

Impact

Successful exploitation allows an attacker to upload and execute arbitrary PHP code on the server. This leads to full compromise of the web application, including data theft, privilege escalation, and potential server takeover. The CVSS v4 vector indicates high impact to confidentiality, integrity, and availability [2].

Mitigation

The vulnerability is fixed in Mediapool Addon version 2.4.0 and Redaxo CMS version 5.6.0, released on 2018-06-08 [3]. Users should upgrade to the latest version. No workarounds are documented; upgrading is the only mitigation.