Redaxo CMS Arbitrary File Upload Vulnerability in MediaPool Module Allowing Remote Code Execution

A vulnerability allowing arbitrary file upload has been identified in the MediaPool module of Redaxo CMS version 5.17.1. This vulnerability enables attackers to execute arbitrary code by uploading a crafted file. The issue arises from the application's insufficient validation of uploaded files, particularly in the PHP Template creation process. Additionally, the CronJob addon is also vulnerable, as it allows the execution of arbitrary PHP code on the application server.

Impact

Exploitation of this vulnerability could lead to authenticated arbitrary code execution on the server where Redaxo CMS is installed.

Reproduction

To reproduce this vulnerability, an authenticated admin user can upload a file containing malicious PHP code through the MediaPool module. Once the file is uploaded, the admin can create a new PHP template that includes the malicious code, which will then be executed on the server. Alternatively, the vulnerability can be reproduced by creating a cron job that executes arbitrary PHP code, leveraging the same file upload mechanism.