REDAXO Backup Addon Path Traversal Vulnerability Allowing Arbitrary File Read

A path traversal vulnerability has been identified in the REDAXO Backup addon, affecting versions prior to 5.20.2. Authenticated users with backup permissions can exploit this vulnerability to read arbitrary files within the webroot. The issue arises because the Backup addon does not properly validate the 'EXPDIR' POST parameter against a UI-generated allowlist of permitted directories. This lack of validation allows attackers to supply relative paths with '../' sequences or absolute paths within the document root to include any readable file in the exported '.tar.gz' archive. Sensitive files such as database configuration files and logs can be accessed as a result.

Impact

Exploitation of this vulnerability could lead to a full compromise of the REDAXO installation, allowing attackers to take over the database, extract password hashes for offline cracking, and potentially gain admin access. According to the REDAXO security advisory, this vulnerability could also lead to remote code execution when combined with other vulnerabilities.

Reproduction

To reproduce this vulnerability, log in as a user with Backup permissions and navigate to the Backup → Export → Files section. Intercept the request with a tool like Burp Suite and modify the 'EXPDIR' parameter to include a path traversal sequence, such as relative paths with '../' sequences or absolute paths within the document root. Send the modified request to download the archive, which will contain the extracted file specified in the 'EXPDIR' parameter, such as the 'config.yml' file containing database credentials and password hashes.

Remediation

Users can update to REDAXO version 5.20.2 or later, where this vulnerability has been patched.