REDAXO CMS Remote Code Execution Vulnerability in Template Management Component

A remote code execution vulnerability has been identified in REDAXO CMS version 5.20.0. This issue arises in the template management component, where remote authenticated administrators can execute arbitrary operating system commands. The vulnerability is exploited by injecting PHP code into an active template, with the payload being executed when visitors access frontend pages that use the compromised template.

Impact

Exploitation of this vulnerability allows for remote code execution on the server, with the injected PHP code executed in the context of the web server user. This could lead to a complete system compromise, including unauthorized access to sensitive files, establishment of a reverse shell for persistent access, and potential escalation of privileges to gain full control over the hosting environment.

Reproduction

To reproduce this vulnerability, log in as an administrator and navigate to the templates section. Select the default template and mark it as active. Inject a PHP payload into the template section, such as one that executes a command like 'cat /etc/passwd' or a reverse shell payload. After saving the template, visit the base URL to trigger the payload execution. Screenshots demonstrating this process are available in the CVE reference.

Remediation

Users are advised to update to REDAXO CMS version 5.20.1, which addresses this vulnerability.