MaxSite CMS File Upload Vulnerability in save-file-ajax.php

A file upload vulnerability has been identified in MaxSite CMS versions through 109. The issue resides in the file application/maxsite/admin/plugins/editor_files/save-file-ajax.php, where the POST parameters file_path and content can be manipulated to allow unrestricted file uploads. This vulnerability can be exploited remotely by authenticated users.

Impact

Exploitation of this vulnerability allows authenticated users to upload arbitrary files to the server, potentially overwriting existing files. In some cases, this could lead to remote code execution.

Reproduction

To reproduce this vulnerability, log into the MaxSite CMS backend as an administrator. Once logged in, send a POST request to the /ajax/ endpoint with the file_path parameter base64-encoded to include the path of the target file in the templates directory, such as info.php. The content parameter should include the desired file content. After the request is processed, the uploaded file can be accessed at the specified path, confirming the successful exploitation of the vulnerability.