Quick CMS 6.7 Shell Upload Vulnerability

2024-06-1300:00:00

Eagle Eye

0day.today

quick cms

shell upload

vulnerability

authenticated

unfiltered parameter

file upload

extension override

admin

settings

save

intercept

pages

new page

add files

malicious script

vendor

opensolution

window

linux

researcher

no response

database configuration

AI Score

7.4

Confidence

Low

JSON

# Title : Authenticated Shell Upload
# Product : Quick CMS
# Vendor : https://opensolution.org/
# Affected Version : 6.7
# Researcher : Eagle Eye
# Tested on : Window & Linux
# Report : Already contact the vendor but no response
# Affected path : admin.php , core/common-admin.php, database/config.php
# Affected function : saveVariables()
# Description : Unfiltered parameter that post into admin.php?p=settings override any
$config key value cause to file upload allowed extension overriding
lead to shell upload.
# Step to reproduce
- login at admin.php
- click setting on right above
- click save and intercept the request
- on body parameter, add &allowed_not_image_extensions=php and proceed
- click Pages and New page from top navbar
- On the panel, choose Add files
- And you can upload malicious script with extension php - You may find on path eg: http://website.com/files/shell.php

AI Score

7.4

Confidence

Low

JSON