# Title : Authenticated Shell Upload
# Product : Quick CMS
# Vendor : https://opensolution.org/
# Affected Version : 6.7
# Researcher : Eagle Eye
# Tested on : Window & Linux
# Date : 11/06/2024
# Report : Already contact the vendor but no response
# Affected path : admin.php , core/common-admin.php, database/config.php
# Affected function : saveVariables()
# Description : Unfiltered parameter that post into admin.php?p=settings override any
$config key value cause to file upload allowed extension overriding
lead to shell upload.
# Step to reproduce
- login at admin.php
- click setting on right above
- click save and intercept the request
- on body parameter, add &allowed_not_image_extensions=php and proceed
- click Pages and New page from top navbar
- On the panel, choose Add files
- And you can upload malicious script with extension php - You may find on path eg: http://website.com/files/shell.php