QCMS Directory Traversal Vulnerability Allowing Arbitrary File Read

A directory traversal vulnerability has been identified in QCMS version 6.0.5, allowing authenticated users to read arbitrary files from the server. This issue arises from inadequate validation of the 'Name' parameter in the backend template editor. By manipulating this parameter, attackers can traverse outside the designated template directory and access sensitive files, such as system configuration, PHP source code, or other confidential information. The vulnerability was verified in a Windows 10 environment with PHP 7.3.4, using Firefox and Burp Suite for manual testing.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive files on the server, including CMS configuration files, PHP source code, and system-level files such as the Windows hosts file.

Reproduction

To reproduce this vulnerability, an authenticated user can send a GET request to the '/admin/templates/edit.html' endpoint, including a crafted 'Name' parameter that exploits the directory traversal flaw. The server will respond with the contents of the file specified in the 'Name' parameter, bypassing the intended directory restrictions.