Redaxo CMS Mediapool Addon Arbitrary File Upload Vulnerability

An arbitrary file upload vulnerability has been identified in the Redaxo CMS Mediapool Addon versions through 5.5.1. This vulnerability allows authenticated users, specifically those with editor accounts, to bypass file extension blacklist restrictions. The issue arises from the addon's use of a blacklist that incorrectly filters certain file extensions. Exploitation involves uploading executable files by using obfuscated extensions, such as php71 or php53, to evade the blacklist and execute arbitrary code.

Impact

Successful exploitation of this vulnerability allows for arbitrary file uploads, with the potential execution of uploaded files as code, depending on the server's configuration.

Reproduction

To reproduce this vulnerability, an authenticated user with an editor account can upload files through the Mediapool addon. The addon, in versions prior to 2.4.0, employs a blacklist that prevents uploads of files with certain PHP extensions. However, by using obfuscated extensions that are not blocked, such as php71 or php53, it is possible to upload files containing shellcode. Once uploaded, these files can be executed on the server.

Remediation

Users are advised to update to Redaxo CMS version 5.6.0 and Mediapool Addon version 2.4.0, both of which contain the necessary fix.