Listen to this Post
The vulnerability is a reflected Cross-Site Scripting (XSS) in the Mediapool backend component. The attack flow begins when a user visits a maliciously crafted URL containing a payload in the `args[bash]` parameter. The `index.php` file in the mediapool receives this request and reads the `args` parameter into an array via rex_request('args', 'array'). This array, $argUrl, is then passed to the `media.list.php` script for rendering. Crucially, `media.list.php` checks if the `$argUrl[‘args’][‘types’]` value is present and not empty. If so, it directly injects this user-controlled value into an HTML string using `echo` without applying any HTML escaping. The value is wrapped inside `` tags within a rex_view info banner. Because the input is not sanitized, any HTML tags or JavaScript within the `args[bash]` parameter are rendered and executed by the victim's browser, leading to arbitrary script execution in the backend context.
Platform: REDAXO CMS
Version: < 5.15.1
Vulnerability : Reflected XSS
Severity: Medium
date: 2024-06-05
Prediction: Patch available
What Undercode Say:
`curl -s "http://localhost/redaxo/index.php?page=mediapool/media&args[bash]=test" | grep -A 2 "pool_file_filter"`
`echo '
' | base64`
`./bin/rex system:update`
How Exploit:
`/index.php?page=mediapool/media&args[bash]=">`
`/index.php?page=mediapool/media&args[bash]=`
Protection from this CVE
Update to version 5.15.1
Implement output escaping
Sanitize user input
Impact:
Session hijacking
CSRF token theft
Admin privilege abuse
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
