← Advisories

qEngine CMS 6.0.0 Remote Code Execution

High

Advisory ID

ZSL-2014-5174

Release Date

25 March 2014

Vendor

C97net - http://www.c97.net

Affected Version

6.0.0 and 4.1.6

CVE

N/A

Tested On

Apache/2.4.7 (Win32), PHP/5.5.6, MySQL 5.6.14

Summary

qEngine (qE) is a lightweight, fast, yet feature packed CMS script to help you building your site quickly. Using template engine to separate the php codes from the design, you don't need to touch the codes to design your web site. qE is also expandable by using modules.

Description

qEngine CMS suffers from an authenticated arbitrary code execution. The vulnerability is caused due to the improper verification of uploaded files in several modules thru several POST parameters. This can be exploited to execute arbitrary PHP code by uploading a malicious PHP script file that will be stored in '/public/image' directory.

Proof of Concept

qenginecms_rce.txtTXT

Disclosure Timeline

07.03.2014Vulnerability discovered.

10.03.2014Vendor contacted.

11.03.2014Vendor responds asking more details.

11.03.2014Sent details to the vendor.

12.03.2014Working with the vendor.

13.03.2014Vendor working on a new version.

21.03.2014Asked vendor for status update.

21.03.2014Vendor promises patch release in April.

25.03.2014Public security advisory released.