CVE-2021-39459
📋 TL;DR
This vulnerability allows authenticated users in Redaxo CMS to execute arbitrary PHP code on the server by uploading malicious modules. It affects Redaxo CMS administrators and users with module upload privileges, potentially compromising the entire hosting system.
💻 Affected Systems
- Yakamara Media Redaxo CMS
📦 What is this software?
Redaxo by Redaxo
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise leading to data theft, ransomware deployment, or use as a foothold for lateral movement in the network.
Likely Case
Unauthorized code execution leading to website defacement, data exfiltration, or installation of backdoors.
If Mitigated
Limited impact if proper access controls and input validation are implemented, restricting module uploads to trusted users only.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once credentials are obtained. Public proof-of-concept code exists in GitHub repositories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.12.2 or later
Vendor Advisory: https://github.com/redaxo/redaxo/releases/tag/5.12.2
Restart Required: No
Instructions:
1. Backup your Redaxo installation and database. 2. Download Redaxo 5.12.2 or later from the official repository. 3. Replace the affected files with the patched version. 4. Verify that the update was successful by checking the version in the admin panel.
🔧 Temporary Workarounds
Restrict Module Upload Permissions
allTemporarily remove module upload capabilities from all non-essential users until patching is complete.
Navigate to Redaxo admin panel > Users & Permissions > Edit user permissions > Uncheck 'Install/update modules'
Implement Web Application Firewall
allDeploy a WAF with rules to block PHP code execution attempts in module uploads.
🧯 If You Can't Patch
- Implement strict access controls to limit module uploads to only absolutely necessary, trusted administrators.
- Deploy runtime application self-protection (RASP) or intrusion detection systems to monitor for suspicious PHP execution patterns.
🔍 How to Verify
Check if Vulnerable:
Check if your Redaxo CMS version is 5.12.1 by logging into the admin panel and viewing the version in the footer or system information page.Check Version:
Check the Redaxo admin dashboard footer or navigate to System > Information in the admin panel.Verify Fix Applied:
After updating, confirm the version shows 5.12.2 or higher in the admin panel. Test module upload functionality with safe test files.📡 Detection & Monitoring
Log Indicators:
- Unusual module uploads from user accounts
- PHP execution errors in web server logs
- Files with suspicious names uploaded to modules directory
Network Indicators:
- Unexpected outbound connections from the web server following module uploads
- HTTP requests to known malicious domains
SIEM Query:
source="web_server_logs" AND (uri="/redaxo/index.php?page=modules/add" OR uri CONTAINS "/redaxo/index.php?page=packages") AND status=200