CVE-2025-12346
📋 TL;DR
This vulnerability in MaxSite CMS allows attackers to upload arbitrary files without restrictions by manipulating HTTP headers. It affects all MaxSite CMS installations up to version 109. Remote exploitation is possible, potentially leading to complete system compromise.
💻 Affected Systems
- MaxSite CMS
📦 What is this software?
Maxsite Cms by Max 3000
⚠️ Risk & Real-World Impact
Worst Case
Complete system takeover via webshell upload leading to data theft, ransomware deployment, or use as attack platform
Likely Case
Webshell upload enabling backdoor access, data exfiltration, and lateral movement within the network
If Mitigated
File upload blocked at perimeter, limiting impact to service disruption
🎯 Exploit Status
Exploit requires HTTP header manipulation; public exploit details available in references
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown - vendor unresponsive
Vendor Advisory: None available
Restart Required: No
Instructions:
No official patch available. Consider migrating to alternative CMS or implementing workarounds.
🔧 Temporary Workarounds
Block vulnerable endpoint
allRestrict access to the vulnerable PHP file via web server configuration
# Apache: <LocationMatch "admin/plugins/auto_post/uploads-require-maxsite\.php">
Order deny,allow
Deny from all
</LocationMatch>
# Nginx: location ~* admin/plugins/auto_post/uploads-require-maxsite\.php {
deny all;
return 403;
}
Implement file upload validation
allAdd server-side validation for file uploads including file type checking and sanitization
# Add to upload handling code:
$allowed_extensions = ['jpg', 'png', 'pdf'];
$file_extension = strtolower(pathinfo($_FILES['file']['name'], PATHINFO_EXTENSION));
if (!in_array($file_extension, $allowed_extensions)) {
die('Invalid file type');
}
🧯 If You Can't Patch
- Deploy WAF with file upload protection rules
- Implement network segmentation to isolate MaxSite CMS from critical systems
🔍 How to Verify
Check if Vulnerable:
Check if file exists: /application/maxsite/admin/plugins/auto_post/uploads-require-maxsite.php and test file upload with manipulated X-Requested-FileName headerCheck Version:
Check MaxSite CMS version in admin panel or config filesVerify Fix Applied:
Test file upload with malicious headers; successful upload should be blocked📡 Detection & Monitoring
Log Indicators:
- HTTP requests to uploads-require-maxsite.php with X-Requested-FileName headers
- File uploads with unusual extensions (.php, .jsp, .asp) in upload directories
Network Indicators:
- Unusual outbound connections from web server post-file upload
- HTTP traffic with manipulated headers to upload endpoints
SIEM Query:
source="web_logs" AND (uri="*uploads-require-maxsite.php" OR header="X-Requested-FileName")