qEngine CMS 6.0.0 (task.php) Local File Inclusion

`  
qEngine CMS 6.0.0 (task.php) Local File Inclusion Vulnerability  
  
  
Vendor: C97net  
Product web page: http://www.c97.net  
Affected version: 6.0.0 and 4.1.6  
  
Summary: qEngine (qE) is a lightweight, fast, yet feature packed  
CMS script to help you building your site quickly. Using template  
engine to separate the php codes from the design, you don't need  
to touch the codes to design your web site. qE is also expandable  
by using modules.  
  
Desc: qEngine CMS suffers from an authenticated file inclusion  
vulnerability (LFI) when input passed thru the 'run' parameter to  
task.php is not properly verified before being used to include files.  
This can be exploited to include files from local resources with  
directory traversal attacks.  
  
  
Tested on: Apache/2.4.7 (Win32)  
PHP/5.5.6  
MySQL 5.6.14  
  
  
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
@zeroscience  
  
  
Advisory ID: ZSL-2014-5173  
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5173.php  
  
  
Dork #1: intitle:powered by c97.net  
Dork #2: intitle:powered by qEngine  
Dork #3: intitle:powered by Kemana.c97.net  
Dork #4: intitle:powered by Cart2.c97.net  
  
  
  
07.03.2014  
  
---  
  
  
http://localhost/qe6_0/admin/task.php?run=../../../../../../windows/win.ini  
`