Pagekit CMS Remote Code Execution Vulnerability in StringStorage Template Handler

A remote code execution vulnerability has been identified in Pagekit CMS versions through 1.0.18. The issue resides in the StringStorage Template Handler, specifically within the evaluate function of app/modules/view/src/PhpEngine.php. This vulnerability arises from improper sanitization of directives in code that is dynamically evaluated, allowing for the injection and execution of arbitrary PHP code and operating system commands with the privileges of the web server process. The vulnerability could lead to a full server compromise, including unauthorized file access and execution of malicious payloads.

Impact

Exploitation of this vulnerability allows for remote code execution on the server, with the executed code running under the web server's privileges. This could lead to a complete takeover of the server, allowing an attacker to read and write files, execute commands, establish a reverse shell, and move laterally within the network.

Reproduction

To reproduce this vulnerability, upload a template that includes malicious PHP code into a Pagekit CMS installation that is version 1.0.18 or earlier. Once the template is uploaded, the PHP code will be executed on the server via the eval() function in the PhpEngine class. This can be done through the admin panel by creating or editing a template and injecting the code. Alternatively, if the template engine processes untrusted data, the vulnerability could be exploited by manipulating the data flow to include the malicious code.