← Advisories

qEngine CMS 6.0.0 Database Backup Disclosure Exploit

Medium
Advisory ID
ZSL-2014-5172
Release Date
25 March 2014
Vendor
C97net - http://www.c97.net
Affected Version
6.0.0 and 4.1.6
CVE
N/A
Tested On
Apache/2.4.7 (Win32), PHP/5.5.6, MySQL 5.6.14
Summary

qEngine (qE) is a lightweight, fast, yet feature packed CMS script to help you building your site quickly. Using template engine to separate the php codes from the design, you don't need to touch the codes to design your web site. qE is also expandable by using modules.

Description

qEngine CMS stores database backups using the Backup DB tool with a predictable file name inside the '/admin/backup' directory as 'Full Backup YYYYMMDD.sql' or 'Full Backup YYYYMMDD.gz', which can be exploited to disclose sensitive information by downloading the file. The '/admin/backup' is also vulnerable to directory listing by default.

Proof of Concept
qenginecms_dbd.phpTXT
Disclosure Timeline
07.03.2014Vulnerability discovered.
10.03.2014Vendor contacted.
11.03.2014Vendor responds asking more details.
11.03.2014Sent details to the vendor.
12.03.2014Working with the vendor.
13.03.2014Vendor working on a new version.
21.03.2014Asked vendor for status update.
21.03.2014Vendor promises patch release in April.
25.03.2014Public security advisory released.
31.05.2014Vendor releases version 7 to address this issue.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]https://www.zeroscience.mk/#/advisories/ZSL-2014-5176
[2]https://www.zeroscience.mk/#/advisories/ZSL-2014-5180
[3]http://cxsecurity.com/issue/WLB-2014030188
[4]http://packetstormsecurity.com/files/125853
[5]http://www.exploit-db.com/exploits/32511/
[6]http://www.securityfocus.com/bid/66395
[7]http://osvdb.org/show/osvdb/104919
[8]http://www.c97.net/news/security-issues-with-qengine-family.php
[9]https://secunia.com/advisories/57529/
[10]http://www.c97.net/news/qengine-7-is-ready-to-download.php
Changelog
25.03.2014Initial release
26.03.2014Added reference [6] and [7]
27.03.2014Added reference [8]
31.03.2014Added reference [9]
31.05.2014Added vendor status and reference [10]