Redactor Unrestricted File Upload
Release date: 29/07/2019
Last update: 29/07/2019
Product: Rich Text Formatter (Redactor) - (Symphony CMS plugin/extension)
Affected version(s): 1.1.1
Remediated version: Unsupported
Severity Rating: High
Impact: Remote code execution
Attack vector: Remote without authentication
Details: The ‘content.fileupload.php’ and ‘content.imageupload.php’ files allow for malicious files to be uploaded to a web server accessible directory. There is no restrictions on what file can be uploaded. These files are typically located at https://<HOST>/symphony/extension/richtext_redcator/imageupload/ and https://<HOST>/symphony/extension/richtext_redcator/fileupload/.
The following screenshot shows a PHP web shell being uploaded through the ‘content.imageupload.php’ file:
The following screenshot shows a PHP web shell being uploaded through the ‘content.fileupload.php’ file:
The file is then saved to the web server, either to the ‘/workspace/redactor/files/’ or the ‘/workspace/redactor/images/’ directory, depending on which script uploaded the file. The application will also provide the new filename in the upload response. These directories are both accessible, so commands can then be sent to the files to be executed as shown below. This allows for the sever to be compromised.
Recommendation: This extension is no longer maintained or supported. The extension should be decommissioned and removed from the application.
Discovered by: David Chadwick from Content Security Pty. Ltd.