MaxSite CMS Unrestricted File Upload Vulnerability in HTTP Header Handler

A vulnerability allowing arbitrary file uploads has been identified in MaxSite CMS versions through 109. The issue resides in the file 'application/maxsite/admin/plugins/auto_post/uploads-require-maxsite.php', within the HTTP Header Handler component. This vulnerability can be exploited remotely by manipulating the 'X-Requested-FileName' and 'X-Requested-FileUpDir' headers to upload malicious files, such as PHP web shells, to the server.

Impact

Exploitation of this vulnerability allows for unrestricted file uploads, which can lead to the execution of uploaded files if the server processes them as executable scripts. In this case, the vulnerability was used to upload a web shell, potentially allowing for remote code execution on the server.

Reproduction

To reproduce this vulnerability, log into the MaxSite CMS backend. Once authenticated, send a POST request to the '/require-maxsite/' endpoint with the 'X-Requested-FileName' header set to '.htaccess' and the 'X-Requested-FileUpDir' header set to 'uploads/'. This request should include a payload designed to overwrite the default .htaccess file in the uploads directory, removing any restrictions on file execution. After successfully clearing the .htaccess file, upload a PHP file by setting the 'X-Requested-FileName' header to the desired filename and the 'X-Requested-FileUpDir' header to 'uploads/'. The uploaded file can then be accessed and executed, as the vulnerability bypasses normal file handling restrictions.