Summary
The rex_api_install_package_update API function (install addon) does not override requiresCsrfProtection(), which defaults to false in the base class rex_api_function. Any authenticated admin can therefore be tricked via a CSRF attack into silently triggering a package update from the REDAXO package server.
Details
File: redaxo/src/core/lib/api_function.php:277-280
protected function requiresCsrfProtection()
{
return false; // DEFAULT — subclasses must opt in
}
File: redaxo/src/addons/install/lib/api/api_package_update.php:8-39
class rex_api_install_package_update extends rex_api_function
{
public function execute()
{
if (!rex::getUser()?->isAdmin()) {
throw new rex_api_exception('You do not have the permission!');
}
$addonkey = rex_request('addonkey', 'string');
$fileId = rex_request('file', 'int');
$installer = new rex_install_package_update();
// ... downloads and installs $addonkey version $fileId from redaxo.org
}
// requiresCsrfProtection() NOT overridden — defaults to false
}
For comparison, rex_api_install_package_add and rex_api_install_package_delete both correctly return true. Only rex_api_install_package_update is missing this.
PoC
<!-- Attacker-controlled page -->
<img src="https://victim-redaxo.example.com/index.php?page=install/packages&rex-api-call=install_package_update&addonkey=some_addon&file=42" />
When an authenticated admin visits this page, the request is automatically made with their session cookie, causing some_addon to be updated to version file_id=42.
Impact
An attacker who can lure an admin to a malicious page can force-install specific addon versions. If combined with a supply-chain compromise of a package on redaxo.org, or by targeting a downgrade to a known-vulnerable version, this becomes a remote code execution vector. Even without supply-chain compromise, it can be used to disrupt the site by forcing unwanted updates.
Fix
Add requiresCsrfProtection() to rex_api_install_package_update:
protected function requiresCsrfProtection()
{
return true;
}
Summary
The
rex_api_install_package_updateAPI function (installaddon) does not overriderequiresCsrfProtection(), which defaults tofalsein the base classrex_api_function. Any authenticated admin can therefore be tricked via a CSRF attack into silently triggering a package update from the REDAXO package server.Details
File:
redaxo/src/core/lib/api_function.php:277-280File:
redaxo/src/addons/install/lib/api/api_package_update.php:8-39For comparison,
rex_api_install_package_addandrex_api_install_package_deleteboth correctly returntrue. Onlyrex_api_install_package_updateis missing this.PoC
When an authenticated admin visits this page, the request is automatically made with their session cookie, causing
some_addonto be updated to versionfile_id=42.Impact
An attacker who can lure an admin to a malicious page can force-install specific addon versions. If combined with a supply-chain compromise of a package on redaxo.org, or by targeting a downgrade to a known-vulnerable version, this becomes a remote code execution vector. Even without supply-chain compromise, it can be used to disrupt the site by forcing unwanted updates.
Fix
Add
requiresCsrfProtection()torex_api_install_package_update: