CVE-2018-25353 Overview
CVE-2018-25353 is an arbitrary file upload vulnerability in the Redaxo CMS Mediapool Addon, affecting versions 5.5.1 and earlier. The flaw resides in the addon's file extension blacklist filter, which fails to block obfuscated PHP extensions such as php71 or php53. Authenticated users holding editor-level privileges can bypass the filter and upload executable scripts to the web root. Once uploaded, the attacker requests the file through the web server, achieving arbitrary code execution under the web server account. The weakness is categorized as [CWE-863] Incorrect Authorization.
Critical Impact
Authenticated editors can achieve remote code execution on the underlying server through obfuscated PHP file extensions, leading to full compromise of the Redaxo CMS installation.
Affected Products
- Redaxo CMS Mediapool Addon version 5.5.1
- Redaxo CMS Mediapool Addon versions earlier than 5.5.1
- Redaxo CMS deployments bundling the vulnerable Mediapool component
Discovery Timeline
- 2026-05-23 - CVE-2018-25353 published to NVD
- 2026-05-26 - Last updated in NVD database
Technical Details for CVE-2018-25353
Vulnerability Analysis
The Mediapool addon implements upload validation through a denylist of forbidden file extensions. The denylist enumerates common executable suffixes such as .php, but it does not account for the full set of extensions the underlying PHP handler treats as executable. On many default Apache and PHP-FPM configurations, alternative suffixes including .php3, .php4, .php5, .php7, .php53, and .php71 are mapped to the PHP interpreter through AddHandler or SetHandler directives. An authenticated editor uploads a payload with one of these alternative suffixes through the Mediapool interface. The blacklist accepts the file, stores it under the public media/ directory, and exposes it through a predictable URL. Requesting that URL triggers PHP interpretation of the attacker-supplied content.
Root Cause
The root cause is reliance on a denylist rather than an allowlist for upload filtering. Denylist validation cannot enumerate every executable suffix supported by downstream web server configurations. The addon also fails to enforce a content-type check or to store uploads outside the document root, removing the secondary controls that typically contain such bypasses.
Attack Vector
Exploitation requires a valid editor account on the target Redaxo instance. The attacker authenticates, opens the Mediapool upload form, and submits a file named with an obfuscated PHP suffix such as shell.php71. After upload, the attacker browses to the resulting media URL and executes arbitrary PHP code. Public proof-of-concept material is documented in Exploit-DB entry 44891 and the VulnCheck advisory.
Detection Methods for CVE-2018-25353
Indicators of Compromise
- Files in the Redaxo media/ directory with non-standard PHP suffixes such as .php3, .php4, .php5, .php7, .php53, or .php71.
- Web server access logs showing GET requests to media/ URLs immediately following editor authentication events.
- Outbound network connections from the PHP-FPM or web server process to unfamiliar hosts following a media upload.
Detection Strategies
- Monitor Mediapool upload events and correlate them with subsequent HTTP requests for the uploaded filenames.
- Hash and inspect newly created files in media storage paths, flagging any that contain PHP open tags (<?php).
- Apply web application firewall rules that block upload requests where the filename matches the regex \.ph(p[0-9]?|tml|ar)$.
Monitoring Recommendations
- Audit Redaxo editor accounts and review the rex_user table for unauthorized or dormant accounts with editor privileges.
- Enable PHP disable_functions logging for exec, system, passthru, and shell_exec to surface execution attempts originating from media files.
- Forward web server, PHP-FPM, and Redaxo audit logs to a centralized analytics platform for correlation across authentication and upload events.
How to Mitigate CVE-2018-25353
Immediate Actions Required
- Upgrade the Mediapool addon and the Redaxo CMS core to a release later than 5.5.1 that enforces strict extension validation.
- Reset credentials for all editor-level accounts and revoke any sessions created during the suspected exposure window.
- Inspect the media/ directory for files with executable suffixes and remove unauthorized uploads.
Patch Information
Updated releases are available from the Redaxo project site. Administrators running the vulnerable 5.5.1 build should migrate to a current supported version, which enforces an allowlist of permitted media extensions in the Mediapool addon.
Workarounds
- Configure the web server to never execute PHP from the Redaxo media/ directory by adding a directive such as php_admin_flag engine off or removing the PHP handler for that path.
- Restrict editor account assignment to trusted users only, and require multi-factor authentication for the Redaxo backend.
- Deploy a web application firewall rule that rejects multipart uploads whose filenames match alternative PHP extensions including php3, php4, php5, php7, php53, php71, and phtml.
# Apache configuration to disable PHP execution in the Redaxo media directory
<Directory "/var/www/redaxo/media">
php_admin_flag engine off
<FilesMatch "\.ph(p[0-9]?|tml|ar)$">
Require all denied
</FilesMatch>
Options -ExecCGI
AddType text/plain .php .php3 .php4 .php5 .php7 .php53 .php71 .phtml
</Directory>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
