MaxSite CMS Code Injection Vulnerability in MarkItUp Preview AJAX Endpoint

A code injection vulnerability has been identified in MaxSite CMS versions through 109.1. The issue arises in the MarkItUp Preview AJAX Endpoint, specifically within the 'eval' function of 'application/maxsite/admin/plugins/editor_markitup/preview-ajax.php'. This vulnerability allows for remote code execution, as the endpoint processes user-supplied data without proper authentication or validation, enabling the execution of arbitrary PHP code on the server.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the server, under the privileges of the web server or PHP process. This could lead to a complete compromise of the CMS, including access to content, user accounts, and the database, with potential for persistent changes or lateral movement on the host, depending on security configurations.

Reproduction

To reproduce this vulnerability, send a POST request to the 'preview-ajax.php' endpoint with crafted data that includes PHP code wrapped in MarkItUp's PHP shortcode tags. The 'run_php' plugin must be enabled, as it allows the execution of PHP code injected through the preview AJAX endpoint.

Remediation

Users are advised to upgrade to MaxSite CMS version 109.2, which addresses this vulnerability. The patch is available on the MaxSite CMS GitHub repository.