Redaxo, Arbitrary File Upload Vulnerability, CVE-2023-XXXX (Critical)

How the Mentioned CVE Works:

The vulnerability in Redaxo v5.18.2 lies in the mediapool/media page, which fails to properly validate file types during uploads. Attackers can exploit this by intercepting the upload request using tools like Burp Suite, modifying the filename and Content-Type header to disguise a malicious HTML file as an image. When the server processes the file, it does not enforce proper file type restrictions, allowing the malicious file to be uploaded. Once uploaded, the file can be accessed via the web server, enabling JavaScript code execution. This can lead to cross-site scripting (XSS), malware distribution, or server compromise.

DailyCVE Form:

Platform: Redaxo
Version: 5.18.2
Vulnerability: Arbitrary File Upload
Severity: Critical
Date: 2023-XX-XX

(End of form)

What Undercode Say:

Analytics:

• Exploitation Likelihood: High due to ease of intercepting and modifying upload requests.
• Impact: Critical, as it allows server-side code execution and malware distribution.
• Affected Systems: Redaxo CMS installations running version 5.18.2.

Commands:

1. Check Redaxo Version:

grep -i "version" /path/to/redaxo/config.yml

2. Mitigation Command:

chmod -R 644 /path/to/redaxo/media

Exploit Steps:

1. Log in to Redaxo.

2. Navigate to Mediapool.

3. Upload a file (e.g., `poc.png`).

4. Intercept the request using Burp Suite.

1. Modify the filename to `poc.1html` and Content-Type to image/html.

6. Insert malicious HTML payload:

<IFRAME SRC="javascript:alert(1);"></IFRAME>

7. Forward the request and access the uploaded file.

Protection Steps:

1. Input Validation:

Implement strict file type validation on the server side.

$allowed_types = ['image/png', 'image/jpeg'];
if (!in_array($_FILES['file']['type'], $allowed_types)) {
die("Invalid file type.");
}

2. File Renaming:

Rename uploaded files to prevent execution.

$new_filename = uniqid() . '.png';
move_uploaded_file($_FILES['file']['tmp_name'], '/path/to/media/' . $new_filename);

3. Web Server Configuration:

Disable execution of uploaded files in the media directory.

<Directory "/path/to/redaxo/media">
php_flag engine off
</Directory>

References:

• Redaxo Security Advisory
• OWASP File Upload Cheatsheet
• Burp Suite Documentation

URLs:

• Redaxo Patch: Download v5.18.3
• CVE Details: CVE-2023-XXXX
• Exploit Database: Exploit-DB Entry

(End of )

References:

Reported By: https://github.com/advisories/GHSA-wppf-gqj5-fc4f
Extra Source Hub:
Undercode

Image Source:

Undercode AI DI v2