qEngine CMS 6.0.0 Remote Code Execution

Title: qEngine CMS 6.0.0 Remote Code Execution
Advisory ID: ZSL-2014-5174
Type: Local/Remote
Impact: System Access
Risk: (4/5)
Release Date: 25.03.2014
qEngine (qE) is a lightweight, fast, yet feature packed CMS script to help you building your site quickly. Using template engine to separate the php codes from the design, you don't need to touch the codes to design your web site. qE is also expandable by using modules.
qEngine CMS suffers from an authenticated arbitrary code execution. The vulnerability is caused due to the improper verification of uploaded files in several modules thru several POST parameters. This can be exploited to execute arbitrary PHP code by uploading a malicious PHP script file that will be stored in '/public/image' directory.
C97net - http://www.c97.net
Affected Version
6.0.0 and 4.1.6
Tested On
Apache/2.4.7 (Win32)
MySQL 5.6.14
Vendor Status
[07.03.2014] Vulnerability discovered.
[10.03.2014] Vendor contacted.
[11.03.2014] Vendor responds asking more details.
[11.03.2014] Sent details to the vendor.
[12.03.2014] Working with the vendor.
[13.03.2014] Vendor working on a new version.
[21.03.2014] Asked vendor for status update.
[21.03.2014] Vendor promises patch release in April.
[25.03.2014] Public security advisory released.
[31.05.2014] Vendor releases version 7 to address this issue.
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
[1] http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5178.php
[2] http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5182.php
[3] http://cxsecurity.com/issue/WLB-2014030190
[4] http://packetstormsecurity.com/files/125855
[5] http://www.exploit-db.com/exploits/32511/
[6] http://www.securityfocus.com/bid/66398
[7] http://osvdb.org/show/osvdb/104916
[8] http://osvdb.org/show/osvdb/104917
[9] http://osvdb.org/show/osvdb/104943
[10] http://www.c97.net/news/security-issues-with-qengine-family.php
[11] https://secunia.com/advisories/57529/
[12] http://www.c97.net/news/qengine-7-is-ready-to-download.php
[25.03.2014] - Initial release
[26.03.2014] - Added reference [6], [7], [8] and [9]
[27.03.2014] - Added reference [10]
[31.03.2014] - Added reference [11]
[31.05.2014] - Added vendor status and reference [12]
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk