Exploit for redaxo-cms-multi-vuln-cve

Name: Exploit for redaxo-cms-multi-vuln-cve
Rating: 5 (1 reviews)
2026-06-28 | CVSS 6.2
## https://sploitus.com/exploit?id=B8AA8BC7-97C0-521A-B88C-499AA12B9DBA
# GitHub Security Advisory: Redaxo CMS 6.x — Privilege Escalation, RCE, SSRF, CSRF Bypass

---

## Advisory Information

| Field | Value |
|-------|-------|
| **Severity** | Critical / High |
| **CWE** | CWE-862 (Missing Authorization) / CWE-918 (SSRF) / CWE-94 (Code Injection) / CWE-352 (CSRF) |
| **CVSS v3.1** | 9.1 (Privilege Escalation) / 8.8 (RCE via Backup) / 7.7 (SSRF) |
| **CVSS Vector** | AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |

---

## Summary

Redaxo CMS 6.x (professional German CMS, 498 PHP files) contains 16 vulnerabilities including: (1) Privilege escalation via AddonOperation API with zero authorization checks, (2) Remote Code Execution via backup import companion script, (3) SSRF via Cronjob URL request type, (4) Several CSRF bypasses including backup download before token check, mailer config without token.

---

## Vulnerability Details

### Affected Package/Repository

- **Repository:** `redaxo/redaxo`
- **Affected Versions:** 6.x-dev (current)
- **Patched Version:** N/A (0-day)
**Commit Hash (audited):** `042d10cfd60109629f3394109109098f96cc94f5`

---

## CVE-REQUEST-001: Privilege Escalation via AddonOperation API (CVSS 9.1)

**File:** `src/Addon/ApiFunction/AddonOperation.php`, lines 26-56

```php
#[AsApiFunction('addon_operation')]
final class AddonOperation extends ApiFunction
{
    public function execute(): Result
    {
        if (Core::isLiveMode()) { throw ...; }
        $function = Request::request('function', 'string');
        // NO PERMISSION CHECK on the calling user!
        $manager = AddonManager::factory($package);
        $success = Type::bool($manager->$function());
    }
}
```

**Zero authorization.** Any authenticated backend user — regardless of role — can call `?rex-api-call=addon_operation&function=install&package=any_addon` to install, activate, deactivate, or uninstall any addon. The framework only verifies a backend session exists (`ApiFunction.php:170-178`), not the user's permissions.

**PoC:**
```bash
curl "http://target/redaxo/?rex-api-call=addon_operation&function=install&package=malicious_addon" \
  -b "PHPSESSID=VALID_SESSION"
```

---

## CVE-REQUEST-002: RCE via Backup Import Companion Script (CVSS 8.8)

**File:** `src/Backup/Backup.php`, lines 166, 474-479

```php
self::importScript(str_replace('.sql', '.php', $filename), ...);

private static function importScript(string $filename, ...): void
{
    if (is_file($filename)) {
        require $filename;   // EXECUTES COMPANION PHP SCRIPT
    }
}
```

When importing a database backup, the system looks for a companion `.php` file with the same basename and executes it via `require()`. If an attacker can write a `.php` file to the backup directory, importing a matching `.sql` file triggers arbitrary code execution.

---

## CVE-REQUEST-003: SSRF via Cronjob URL Request Type (CVSS 7.7)

**File:** `src/Cronjob/Type/UrlRequestType.php`, line 30

```php
$response = Core::getHttpClient()->request($method, $this->getParam('url'), $options);
```

Arbitrary URL with NO validation, NO hostname allowlisting, NO private-IP blocking. An admin with cronjob permissions can target `169.254.169.254` for cloud metadata, internal databases, or internal web applications.

---

## CVE-REQUEST-004: CSRF Bypass — Backup Download Before Token Check (CVSS 5.4)

**File:** `pages/backup/import.server.php`, lines 38-44

```php
if ('download' == $function && $impname && is_readable(Backup::getDir() . '/' . $impname)) {
    Response::sendFile(Backup::getDir() . '/' . $impname, ...);
    exit;    // EXITS BEFORE CSRF CHECK BELOW!
}
if ($function && !$csrfToken->isValid()) {
    $error = I18n::msg('csrf_token_invalid');
}
```

The download function executes and exits **before** CSRF token validation. An `` tag can trigger backup download containing database dumps with password hashes.

---

## Additional Findings (16 total):

| # | Vulnerability | CVSS | Type |
|---|--------------|------|------|
| H-3 | Backend API functions no auth check | 8.8 | Broken Access Ctrl |
| H-5 | Tar extraction to project root (path traversal) | 8.1 | Path Traversal |
| H-6 | Host header injection in enforceHttps() | 6.1 | Open Redirect |
| M-2 | CSRF on mailer configuration (SMTP creds) | 6.5 | CSRF |
| M-4 | Media sync unsanitized filenames (stored XSS) | 5.4 | XSS |
| M-6 | phpinfo() exposed to admins | 4.9 | Info Disclosure |
| M-7 | Whoops error handler stack traces | 5.5 | Info Disclosure |
| M-8 | SHA1 legacy password fallback | 5.9 | Weak Crypto |
| M-9 | Stay-logged-in cookie (3 months) | 6.5 | Session Mgmt |
| M-10 | Non-admin can enumerate admin accounts | 4.3 | Info Disclosure |
| L-5 | Media update skips extension check | — | File Upload |

---

## Positive Security Controls Noted

The Redaxo codebase has exemplary security practices in many areas:
- Zero `unserialize()`, `eval()`, or `create_function()` calls
- Comprehensive CSRF token system with `hash_equals()`
- SVG sanitization via `enshrined/svg-sanitize`
- bcrypt password hashing via `password_hash()`
- Session regeneration on login with strict mode
- Built-in Psalm taint analysis
- Whitelist-based page permission model

---

## Impact

- **Addon ecosystem compromise** via unauthorized addon install/activate
- **RCE on server** via backup companion script
- **Internal network access** via SSRF
- **Credential theft** via backup download (CSRF bypass)
- **SMTP credential theft** via CSRF on mailer config

---

## Patches / Fix

1. Add `$this->requireUser()->isAdmin()` check to `AddonOperation::execute()`
2. Remove or sandbox `importScript()` — do not `require()` user-influenced paths
3. Add URL validation with private-IP blocking to `UrlRequestType`
4. Move CSRF token check BEFORE the download operation
5. Add CSRF tokens to all forms (mailer config, customizer, log deletion)
6. Escape filenames from filesystem in `sync.php`
7. Replace `$_SERVER['HTTP_HOST']` with trusted server name in `enforceHttps()`

---

## Disclosure Timeline

- **2026-06-28:** All 16 vulnerabilities discovered by Fatullayev Asadbek (Kimdir01)
- **TBD:** Reported to REDAXO maintainers
- **TBD:** CVEs requested via GitHub
- **TBD:** Advisories published

---

## Credits

- Discovered by: Fatullayev Asadbek | GitHub: Kimdir01
- Independent security researcher

---

## References

- CWE-862: Missing Authorization
- CWE-918: Server-Side Request Forgery (SSRF)
- CWE-94: Code Injection
- CWE-352: Cross-Site Request Forgery