# Title: Project Manager With Billing Accounting CRM PRO v1.1.8 WebShell Upload & Stored XSS Injections # Author: QUIXSS # Date: 2019-04-16 # Software: Project Manager With Billing Accounting CRM PRO v1.1.8 # Technical Details & Description: # Weak file upload filtering (.PHP5/.PHP7 isn't filtering) and multiple Stored XSS vulnerabilitieshas been discovered in the «Project Manager With Billing Accounting CRM PRO» web-application. Current version of this web-application is 1.1.8. # PoC #1 [WebShell Upload]: # It's possible to upload any PHP file via «File Manager» (for the demo website) -> https://bacspro.coderitems.com/admin/filemanager, just change file type from .PHP to .PHP5 (for PHP v5.X) or .PHP7 (for PHP v7.X) and upload the file. Or just rename your local .PHP file type to .TXT and upload it like this, then rename file type in the «File Manager» back to .PHP5 or .PHP7. Uploaded file will be inside this directory (for the demo website) -> https://bacspro.coderitems.com/-/ # PoC #2 [Stored XSS Injections]: # The whole web-application doesn't have any input field filters so you can use any input field for Stored XSS Injection. Most usefull fields is «Company Name» and «Legal Name» located (at the demo website) here: https://bacspro.coderitems.com/admin/settings. Data from this fields will be loaded on literally each page u visit. # Sample payload: "><script>alert('QUIXSS')</script>