Summary
The mediapool sync page (sync.php) renders filenames from the /media filesystem directory directly into HTML without applying rex_escape() (i.e., htmlspecialchars). Any file placed in the media directory whose filename contains HTML metacharacters will execute JavaScript in the browser of any backend user who views the sync page.
Details
In redaxo/src/addons/mediapool/pages/sync.php, the variable $diffFiles is populated from actual filesystem filenames (files in /media/ not yet registered in the database). These filenames are then rendered without escaping:
File: redaxo/src/addons/mediapool/pages/sync.php:119-120
foreach ($diffFiles as $file) {
if (is_writable(rex_path::media($file))) {
$e = [];
$e['label'] = '<label>' . $file . '</label>'; // NO rex_escape!
$e['field'] = '<input type="checkbox" name="sync_files[]" value="' . $file . '" />'; // NO rex_escape!
$writable[] = $e;
} else {
$notWritable[] = $file;
}
}
File: redaxo/src/addons/mediapool/pages/sync.php:170
$fragment->setVar('body', '<ul><li>' . implode('</li><li>', $notWritable) . '</li></ul>', false);
// $notWritable contains unescaped filenames
By contrast, all other filename displays in the codebase use rex_escape($fname) (e.g., media.detail.php:236, media.list.php). The sync page is accessible to any backend user with the media[sync] permission (not exclusively admins).
PoC
- Place a file named
<img src=x onerror=alert(document.cookie)>.txt into the REDAXO /media/ directory (via backup restore or server access) without adding it to the media database.
- Log in as any backend user with
media[sync] permission.
- Navigate to Mediapool → Sync.
- The XSS payload executes immediately, stealing the admin session cookie.
Impact
Stored XSS in the admin panel. An attacker who can place files in the media directory (via admin-level backup restore or server access) can achieve persistent XSS against all users who visit the sync page, including higher-privileged admins. This enables session hijacking, credential theft, and full CMS takeover.
Fix
Apply rex_escape() to all filename variables before inserting into HTML:
$e['label'] = '<label>' . rex_escape($file) . '</label>';
$e['field'] = '<input type="checkbox" name="sync_files[]" value="' . rex_escape($file) . '" />';
// ...
$fragment->setVar('body', '<ul><li>' . implode('</li><li>', array_map('rex_escape', $notWritable)) . '</li></ul>', false);
Summary
The mediapool sync page (
sync.php) renders filenames from the/mediafilesystem directory directly into HTML without applyingrex_escape()(i.e.,htmlspecialchars). Any file placed in the media directory whose filename contains HTML metacharacters will execute JavaScript in the browser of any backend user who views the sync page.Details
In
redaxo/src/addons/mediapool/pages/sync.php, the variable$diffFilesis populated from actual filesystem filenames (files in/media/not yet registered in the database). These filenames are then rendered without escaping:File:
redaxo/src/addons/mediapool/pages/sync.php:119-120File:
redaxo/src/addons/mediapool/pages/sync.php:170By contrast, all other filename displays in the codebase use
rex_escape($fname)(e.g.,media.detail.php:236,media.list.php). The sync page is accessible to any backend user with themedia[sync]permission (not exclusively admins).PoC
<img src=x onerror=alert(document.cookie)>.txtinto the REDAXO/media/directory (via backup restore or server access) without adding it to the media database.media[sync]permission.Impact
Stored XSS in the admin panel. An attacker who can place files in the media directory (via admin-level backup restore or server access) can achieve persistent XSS against all users who visit the sync page, including higher-privileged admins. This enables session hijacking, credential theft, and full CMS takeover.
Fix
Apply
rex_escape()to all filename variables before inserting into HTML: