<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=2114085292224199&amp;ev=PageView&amp;noscript=1">

Security Advisory: Redactor Unrestricted File Upload

Posted by David Chadwick - 12 August, 2019


Redactor Unrestricted File Upload

Release date: 29/07/2019

Last update: 29/07/2019

Vendor: Symphony

Vendor site: http://symphonyextensions.com/extensions/richtext_redactor/

Product: Rich Text Formatter (Redactor) - (Symphony CMS plugin/extension)

Affected version(s): 1.1.1

Remediated version: Unsupported

Severity Rating: High

Impact: Remote code execution

Attack vector: Remote without authentication

CVE: CVE-2019-13187

Details: The ‘content.fileupload.php’ and ‘content.imageupload.php’ files allow for malicious files to be uploaded to a web server accessible directory. There is no restrictions on what file can be uploaded. These files are typically located at https://<HOST>/symphony/extension/richtext_redcator/imageupload/ and https://<HOST>/symphony/extension/richtext_redcator/fileupload/.

The following screenshot shows a PHP web shell being uploaded through the ‘content.imageupload.php’ file:


The following screenshot shows a PHP web shell being uploaded through the ‘content.fileupload.php’ file:


The file is then saved to the web server, either to the ‘/workspace/redactor/files/’ or the ‘/workspace/redactor/images/’ directory, depending on which script uploaded the file. The application will also provide the new filename in the upload response. These directories are both accessible, so commands can then be sent to the files to be executed as shown below. This allows for the sever to be compromised.


Recommendation: This extension is no longer maintained or supported. The extension should be decommissioned and removed from the application.

Discovered by: David Chadwick from Content Security Pty. Ltd.

Recent Posts

Security Advisory: Footy Tipping Software Whitelisting Bypass

read more

Security Advisory: Footy Tipping Software Cross-site Scripting

read more

Three Types of Security Threats and How to Guard Against Them

read more