Path Traversal in REDAXO CMS Backup Addon

REDAXO is a PHP-based Content Management System (CMS) widely used for building flexible websites. The core system includes a "Backup" addon designed to facilitate the export and import of database contents and filesystem assets. This functionality is critical for system maintenance and migration tasks.

CVE-2026-21857 identifies a Path Traversal vulnerability (CWE-22) within the file export mechanism of this addon. The vulnerability stems from insufficient validation of user-supplied directory paths when generating a backup archive. Specifically, the application fails to verify that requested directories reside within the intended webroot or allowed asset folders.

This flaw allows an attacker to manipulate the file inclusion list, effectively bypassing access controls implemented at the application level. While the vulnerability requires authentication, the privilege level required (access to the Backup addon) is often granted to power users or lower-tier administrators, making this a significant risk for privilege escalation or lateral movement.

The root cause of this vulnerability lies in the improper handling of the EXPDIR POST parameter in redaxo/src/addons/backup/pages/export.php. This parameter is intended to receive a list of directories selected by the user from the frontend interface to be included in the backup archive.

In vulnerable versions (prior to 5.20.2), the application accepts this array of directory paths directly from the client request without sufficient server-side verification. The backend code iterates through the EXPDIR array and passes the values to the archiving function. Crucially, the code lacks two specific security controls:

1. Sanitization: There is no removal of directory traversal sequences (e.g., ../ or ..\) that allow navigation to parent directories.
2. Validation: The application does not strictly compare the requested paths against a canonical list of allowed directories. instead, it blindly trusts that the input corresponds to the checkboxes presented in the UI.

This "Trust but don't Verify" approach allows an attacker to supply a crafted path like ../../redaxo/data/core/ instead of a legitimate path like media, forcing the archiver to package sensitive system files.

The remediation for CVE-2026-21857 involved moving from an implicit trust model to a strict allowlist model. The following analysis highlights the critical changes in redaxo/src/addons/backup/pages/export.php.

Vulnerable Code (Simplified):

// The application retrieves the array of directories to export directly from POST
$EXPDIR = rex_post('EXPDIR', 'array');
 
// The array is passed to the export function without validation
if ($EXPDIR) {
    $content = rex_backup::exportFiles($EXPDIR);
}

Patched Code (Commit 1572bd3):

// 1. Define the base directory for validation
$dir = rex_path::frontend();
 
// 2. Dynamically discover legitimate directories using rex_finder
// This generates the 'source of truth' for what is allowed
$folders = rex_finder::factory($dir)
    ->dirsOnly()
    ->ignoreDirs('.*')      // Ignore hidden files
    ->ignoreDirs('redaxo'); // Explicitly protect the system directory
 
// 3. Normalize the discovered folders to basenames
$folders = array_keys(iterator_to_array($folders));
$folders = array_map(rex_path::basename(...), $folders);
 
// 4. Retrieve user input with stricter type hinting
$EXPDIR = rex_post('EXPDIR', 'array[string]');
 
// 5. CRITICAL FIX: Intersect user input with the allowlist
// Any path in $EXPDIR that is not in $folders is silently dropped
$EXPDIR = array_intersect($EXPDIR, $folders);
 
if ($EXPDIR) {
    $content = rex_backup::exportFiles($EXPDIR);
}

The use of array_intersect is the key mechanism here. It ensures that even if an attacker sends ../../config, the result of the intersection will be empty because ../../config does not exist in the trusted $folders list generated by the server.

To exploit this vulnerability, an attacker must first authenticate to the REDAXO backend and possess permissions to access the Backup addon. The exploitation process follows a standard parameter tampering workflow.

Step 1: Traffic Interception The attacker navigates to the "Backup" page and initiates a standard file export. Using a proxy tool like Burp Suite or OWASP ZAP, they intercept the HTTP POST request destined for index.php?page=backup/export.

Step 2: Payload Injection The legitimate request will contain a body similar to: EXPTABLES[]=...&EXPDIR[]=media&export=Export

The attacker modifies the EXPDIR parameter to point to sensitive system paths. A common target in REDAXO installations is the core configuration file which may contain database credentials.

Payload: EXPDIR[]=../../redaxo/data/core/

Step 3: Retrieval The server processes the request, traverses up from the webroot, and archives the contents of the targeted directory. The response is a .tar.gz file download. The attacker extracts this archive locally to view the contents of the restricted files.

The impact of CVE-2026-21857 is rated as High (CVSS 8.3) because it directly compromises the confidentiality of the entire system. While the integrity and availability impacts are technically Low/None (the attacker is reading, not writing or deleting), the data obtained facilitates complete system compromise.

Confidentiality Loss: Successful exploitation allows the retrieval of config.yml and master.inc.php. These files typically contain:

• Database hostname, username, and password.
• Encryption salts and API keys.
• System paths and environment details.

Secondary Attacks: With database credentials, an attacker can directly connect to the database (if exposed) or use other SQL injection vectors that might have been previously mitigated by lack of credentials. Furthermore, access to source code allows for white-box analysis to find further vulnerabilities.

The primary remediation is to update the REDAXO CMS to version 5.20.2 or later. This version includes the patch that enforces strict directory allowlisting.

Verification: Administrators can verify their installation is patched by checking redaxo/src/addons/backup/pages/export.php. If the code contains the array_intersect($EXPDIR, $folders) logic, the system is secure against this specific attack vector.

Temporary Mitigation: If an immediate upgrade is not feasible, administrators should restrict access to the Backup addon. This can be done via the User Management interface by revoking the backup[] permission from all non-admin users. Additionally, Web Application Firewall (WAF) rules can be deployed to block requests to index.php containing ../ sequences in POST bodies, though this is a fragile defense compared to patching.