<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=2114085292224199&amp;ev=PageView&amp;noscript=1">

Security Advisory: Redactor Unrestricted File Upload

Posted by David Chadwick - 12 August, 2019

header-picture

Redactor Unrestricted File Upload

Release date: 29/07/2019

Last update: 29/07/2019

Vendor: Symphony

Vendor site: http://symphonyextensions.com/extensions/richtext_redactor/

Product: Rich Text Formatter (Redactor) - (Symphony CMS plugin/extension)

Affected version(s): 1.1.1

Remediated version: Unsupported

Severity Rating: High

Impact: Remote code execution

Attack vector: Remote without authentication

CVE: CVE-2019-13187

Details: The ‘content.fileupload.php’ and ‘content.imageupload.php’ files allow for malicious files to be uploaded to a web server accessible directory. There is no restrictions on what file can be uploaded. These files are typically located at https://<HOST>/symphony/extension/richtext_redcator/imageupload/ and https://<HOST>/symphony/extension/richtext_redcator/fileupload/.

The following screenshot shows a PHP web shell being uploaded through the ‘content.imageupload.php’ file:

imageupload

The following screenshot shows a PHP web shell being uploaded through the ‘content.fileupload.php’ file:

fileupload

The file is then saved to the web server, either to the ‘/workspace/redactor/files/’ or the ‘/workspace/redactor/images/’ directory, depending on which script uploaded the file. The application will also provide the new filename in the upload response. These directories are both accessible, so commands can then be sent to the files to be executed as shown below. This allows for the sever to be compromised.

imageupload_shell

Recommendation: This extension is no longer maintained or supported. The extension should be decommissioned and removed from the application.

Discovered by: David Chadwick from Content Security Pty. Ltd.


Recent Posts

Three Types of Security Threats and How to Guard Against Them

read more

How to Manage Security In The New World of Cloud Computing

read more

How to implement largescale IT programs without losing your mind

read more