The following vulnerabilities have been found in Redaxo 4.5 (http://redaxo.org), an open source CMS for small and
Redaxo has no CSRF protection and occasionally accepts GET variables in place of POST, which can be exploited to
overwrite user passwords or delete files by an unsuspecting authenticated user.
* /redaxo/index.php?page=import_export&subpage=import&function=delete&impname=.\..\..\..\.htaccess (Windows only)
The following XSS in the Redaxo back-end can be exploited to hijack sessions of authenticated users.
Authenticated users with access to the import/export module can execute arbitrary code on the server.
* /redaxo/index.php?page=import_export&subpage=export (Allows creation of .php.* files on server)
* /redaxo/index.php?page=import_export&subpage=import (Allows upload of .php files)
* The function rex_mediapool_filename() in "redaxo/functions/function_rex_mediapool.inc.php" fails to properly sanitize
multiple file name extensions, which can be exploited to upload arbitrary code via the image manager (Apache AddHandler)
LFI in Redaxo-Addon tinymce:
* PHP function tinymce_generate_image() in "redaxo/include/addons/tinymce/functions/functions.inc.php" fails to
properly sanitize file names. This has recently been fixed, but not been made public.