qEngine CMS 6.0.0 (task.php) Local File Inclusion Vulnerability

ID ZSL-2014-5173
Type zeroscience
Reporter Gjoko Krstic
Modified 2014-03-25T00:00:00


Title: qEngine CMS 6.0.0 (task.php) Local File Inclusion Vulnerability
Advisory ID: ZSL-2014-5173
Type: Local/Remote
Impact: Exposure of System Information, Exposure of Sensitive Information
Risk: (3/5)
Release Date: 25.03.2014


qEngine (qE) is a lightweight, fast, yet feature packed CMS script to help you building your site quickly. Using template engine to separate the php codes from the design, you don't need to touch the codes to design your web site. qE is also expandable by using modules.


qEngine CMS suffers from an authenticated file inclusion vulnerability (LFI) when input passed thru the 'run' parameter to task.php is not properly verified before being used to include files. This can be exploited to include files from local resources with directory traversal attacks.


C97net - <http://www.c97.net>

Affected Version

6.0.0 and 4.1.6

Tested On

Apache/2.4.7 (Win32)
MySQL 5.6.14

Vendor Status

[07.03.2014] Vulnerability discovered.
[10.03.2014] Vendor contacted.
[11.03.2014] Vendor responds asking more details.
[11.03.2014] Sent details to the vendor.
[12.03.2014] Working with the vendor.
[13.03.2014] Vendor working on a new version.
[21.03.2014] Asked vendor for status update.
[21.03.2014] Vendor promises patch release in April.
[25.03.2014] Public security advisory released.
[31.05.2014] Vendor releases version 7 to address this issue.




Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>


[1] <http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5177.php>
[2] <http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5181.php>
[3] <http://packetstormsecurity.com/files/125854>
[4] <http://cxsecurity.com/issue/WLB-2014030189>
[5] <http://www.exploit-db.com/exploits/32511/>
[6] <http://www.securityfocus.com/bid/66401>
[7] <http://osvdb.org/show/osvdb/104918>
[8] <http://www.c97.net/news/security-issues-with-qengine-family.php>
[9] <https://secunia.com/advisories/57529/>
[10] <http://www.c97.net/news/qengine-7-is-ready-to-download.php>


[25.03.2014] - Initial release
[26.03.2014] - Added reference [6] and [7]
[27.03.2014] - Added reference [8]
[31.03.2014] - Added reference [9]
[31.05.2014] - Added vendor status and reference [10]


Zero Science Lab

Web: <http://www.zeroscience.mk>
e-mail: lab@zeroscience.mk

                                            &lt;html&gt;&lt;head&gt;&lt;title&gt;403 Nothing to see.&lt;/title&gt;
&lt;link rel="Shortcut Icon" href="favicon.ico" type="image/x-icon"&gt;
&lt;style type="text/css"&gt;
body {
	background-color: #000;
body,td,th {
	font-family: Verdana, Geneva, sans-serif;
a:link {
	color: #008FEF;
	text-decoration: none;
a:visited {
	color: #008FEF;
	text-decoration: none;
a:hover {
	text-decoration: underline;
	color: #666;
a:active {
	text-decoration: none;
&lt;body bgcolor=black&gt;
&lt;font color="#7E88A3" size="2"&gt;
&lt;br /&gt;&lt;br /&gt;
&lt;h1&gt;403 Nothing to see.&lt;/h1&gt;

You do not have the powah for this request /403.shtml&lt;br /&gt;&lt;br /&gt;
&lt;font size="2"&gt;&lt;a href="https://www.zeroscience.mk"&gt;https://www.zeroscience.mk&lt;/a&gt;&lt;/font&gt;