CVE-2026-21857

REDAXO is a PHP-based content management system. Prior to version 5.20.2, authenticated users with backup permissions can read arbitrary files within the webroot via path traversal in the Backup addon's file export functionality. The Backup addon does not validate the `EXPDIR` POST parameter against the UI-generated allowlist of permitted directories. An attacker can supply relative paths containing `../` sequences (or even absolute paths inside the document root) to include any readable file in the generated `.tar.gz` archive. Version 5.20.2 fixes this issue.

REDAXO is a PHP-based content management system. Prior to version 5.20.2, authenticated users with backup permissions can read arbitrary files within the webroot via path traversal in the Backup addon's file export functionality. The Backup addon does not validate the `EXPDIR` POST parameter against the UI-generated allowlist of permitted directories. An attacker can supply relative paths containing `../` sequences (or even absolute paths inside the document root) to include any readable file in the generated `.tar.gz` archive. Version 5.20.2 fixes this issue.

### Summary Authenticated users with backup permissions can read arbitrary files within the webroot via path traversal in the Backup addon's file export functionality. <img width="664" height="899" alt="image" src="https://github.com/user-attachments/assets/fd1ca69e-b275-4daf-9a62-621cde6525f5" /> <img width="2358" height="445" alt="image" src="https://github.com/user-attachments/assets/fad81152-9e1b-413e-9823-09540a23e2fb" /> ### Details The Backup addon does not validate the `EXPDIR` POST parameter against the UI-generated allowlist of permitted directories. An attacker can supply relative paths containing `../` sequences (or even absolute paths inside the document root) to include any readable file in the generated `.tar.gz` archive. Vulnerable code: - `redaxo/src/addons/backup/pages/export.php` (lines 72-76) – directly uses `$_POST['EXPDIR']` - `redaxo/src/addons/backup/lib/backup.php` (lines ~413 & ~427) – concatenates unsanitized user input with base path This allows disclosure of sensitive files such as: - `redaxo/data/core/config.yml` → database credentials + password hashes of all backend users - `.env`, custom configuration files, logs, uploaded malicious files, etc. ### Affected versions ≤ 5.20.1 (confirmed working) ### Patched versions None (as of 2025-12-09) ### PoC – Extracting database credentials and password hashes 1. Log in as any user with Backup permission 2. Go to Backup → Export → Files <img width="1240" height="960" alt="image" src="https://github.com/user-attachments/assets/bc05ba18-9664-4be2-b637-4fec3a0f409a" /> 3. Intercept the request with Burp Suite <img width="2184" height="478" alt="image" src="https://github.com/user-attachments/assets/9fa754a1-2cd0-4d3d-a5cc-cfa34c8a1718" /> 4. Change one `EXPDIR[]` value to `../../../../var/www/html/redaxo/data/core` <img width="978" height="591" alt="image" src="https://github.com/user-attachments/assets/d15f5c7f-b72c-44cc-9be2-da8d3f26f124" /> 5. Send request → download archive <img width="423" height="131" alt="image" src="https://github.com/user-attachments/assets/db8a8bda-cdaf-4dea-812f-1e312da908e2" /> 6. Extract and open `data/core/config.yml` <img width="859" height="281" alt="image" src="https://github.com/user-attachments/assets/c8112ce1-5a1d-435f-953b-7eb4e711e042" /> Result: plaintext database password <img width="2534" height="1198" alt="image" src="https://github.com/user-attachments/assets/218ae917-868a-437e-98b0-6471b82c0b10" /> ### Impact Full compromise of the REDAXO installation: - Database takeover - Password hash extraction → offline cracking → admin access - When combined with other vulnerabilities → RCE CVSS 4.0 vector & score below. ### Credits Discovered by: Łukasz Rybak

### Summary Authenticated users with backup permissions can read arbitrary files within the webroot via path traversal in the Backup addon's file export functionality. <img width="664" height="899" alt="image" src="https://github.com/user-attachments/assets/fd1ca69e-b275-4daf-9a62-621cde6525f5" /> <img width="2358" height="445" alt="image" src="https://github.com/user-attachments/assets/fad81152-9e1b-413e-9823-09540a23e2fb" /> ### Details The Backup addon does not validate the `EXPDIR` POST parameter against the UI-generated allowlist of permitted directories. An attacker can supply relative paths containing `../` sequences (or even absolute paths inside the document root) to include any readable file in the generated `.tar.gz` archive. Vulnerable code: - `redaxo/src/addons/backup/pages/export.php` (lines 72-76) – directly uses `$_POST['EXPDIR']` - `redaxo/src/addons/backup/lib/backup.php` (lines ~413 & ~427) – concatenates unsanitized user input with base path This allows disclosure of sensitive files such as: - `redaxo/data/core/config.yml` → database credentials + password hashes of all backend users - `.env`, custom configuration files, logs, uploaded malicious files, etc. ### Affected versions ≤ 5.20.1 (confirmed working) ### Patched versions None (as of 2025-12-09) ### PoC – Extracting database credentials and password hashes 1. Log in as any user with Backup permission 2. Go to Backup → Export → Files <img width="1240" height="960" alt="image" src="https://github.com/user-attachments/assets/bc05ba18-9664-4be2-b637-4fec3a0f409a" /> 3. Intercept the request with Burp Suite <img width="2184" height="478" alt="image" src="https://github.com/user-attachments/assets/9fa754a1-2cd0-4d3d-a5cc-cfa34c8a1718" /> 4. Change one `EXPDIR[]` value to `../../../../var/www/html/redaxo/data/core` <img width="978" height="591" alt="image" src="https://github.com/user-attachments/assets/d15f5c7f-b72c-44cc-9be2-da8d3f26f124" /> 5. Send request → download archive <img width="423" height="131" alt="image" src="https://github.com/user-attachments/assets/db8a8bda-cdaf-4dea-812f-1e312da908e2" /> 6. Extract and open `data/core/config.yml` <img width="859" height="281" alt="image" src="https://github.com/user-attachments/assets/c8112ce1-5a1d-435f-953b-7eb4e711e042" /> Result: plaintext database password <img width="2534" height="1198" alt="image" src="https://github.com/user-attachments/assets/218ae917-868a-437e-98b0-6471b82c0b10" /> ### Impact Full compromise of the REDAXO installation: - Database takeover - Password hash extraction → offline cracking → admin access - When combined with other vulnerabilities → RCE CVSS 4.0 vector & score below. ### Credits Discovered by: Łukasz Rybak

REDAXO es un sistema de gestión de contenido basado en PHP. Antes de la versión 5.20.2, los usuarios autenticados con permisos de copia de seguridad pueden leer archivos arbitrarios dentro del directorio raíz web (webroot) mediante salto de ruta en la funcionalidad de exportación de archivos del complemento Backup. El complemento Backup no valida el parámetro POST 'EXPDIR' contra la lista blanca de directorios permitidos generada por la interfaz de usuario. Un atacante puede proporcionar rutas relativas que contengan secuencias '../' (o incluso rutas absolutas dentro del directorio raíz del documento) para incluir cualquier archivo legible en el archivo '.tar.gz' generado. La versión 5.20.2 corrige este problema.