Quick CMS 6.7 Shell Upload

# Title : Authenticated Shell Upload# Product : Quick CMS# Vendor : https://opensolution.org/# Affected Version : 6.7# Researcher : Eagle Eye# Tested on : Window & Linux# Date : 11/06/2024# Report : Already contact the vendor but no response# Affected path : admin.php , core/common-admin.php, database/config.php# Affected function : saveVariables()# Description : Unfiltered parameter that post into admin.php?p=settings override any$config key value cause to file upload allowed extension overridinglead to shell upload.# Step to reproduce- login at admin.php- click setting on right above- click save and intercept the request- on body parameter, add &allowed_not_image_extensions=php and proceed- click Pages and New page from top navbar- On the panel, choose Add files- And you can upload malicious script with extension php - You may find on path eg: http://website.com/files/shell.php