CVE-2024-11992
📋 TL;DR
This is an absolute path traversal vulnerability in Quick.CMS 6.7 that allows remote attackers to bypass security restrictions and download or delete files outside the configured document root. Attackers can exploit this via the aDirFiles[0] parameter in admin.php. All Quick.CMS 6.7 installations with admin.php accessible are affected.
💻 Affected Systems
- Quick.CMS
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise through sensitive file disclosure (configuration files, passwords, SSH keys) and arbitrary file deletion leading to system unavailability.
Likely Case
Unauthorized access to sensitive files outside web root, potential credential theft, and selective file deletion disrupting application functionality.
If Mitigated
Limited impact with proper input validation, file permission restrictions, and web server configuration hardening.
🎯 Exploit Status
Exploitation requires access to admin.php page. The vulnerability is straightforward to exploit once authenticated or if admin interface is improperly secured.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.8 or later
Vendor Advisory: https://www.incibe.es/en/incibe-cert/notices/aviso/path-traversal-vulnerability-quickcms
Restart Required: No
Instructions:
1. Download latest Quick.CMS version from official source. 2. Backup current installation. 3. Replace vulnerable files with patched version. 4. Verify admin.php no longer accepts malicious path traversal inputs.
🔧 Temporary Workarounds
Restrict admin.php access
allLimit access to admin.php page using web server authentication or IP restrictions
# Apache: Add to .htaccess
Order deny,allow
Deny from all
Allow from 192.168.1.0/24
# Nginx: Add to server block
location /admin.php {
allow 192.168.1.0/24;
deny all;
}
Implement input validation
allAdd server-side validation to reject path traversal sequences in aDirFiles parameter
# PHP example for admin.php
if (strpos($_GET['aDirFiles[0]'], '..') !== false || strpos($_GET['aDirFiles[0]'], '/') === 0) {
die('Invalid path');
}
🧯 If You Can't Patch
- Implement strict file system permissions to limit web server user access to only necessary directories
- Deploy web application firewall (WAF) with path traversal protection rules
🔍 How to Verify
Check if Vulnerable:
Test if admin.php accepts path traversal sequences like '../../etc/passwd' in aDirFiles[0] parameterCheck Version:
Check Quick.CMS version in admin panel or read version from includes/config.phpVerify Fix Applied:
Attempt path traversal exploitation after patch - should receive error or be blocked📡 Detection & Monitoring
Log Indicators:
- HTTP requests to admin.php with '..' or '/' in parameters
- Unusual file access patterns in web server logs
- Failed file access attempts outside document root
Network Indicators:
- HTTP requests containing path traversal sequences to admin.php endpoint
- Unusual file download patterns from admin interface
SIEM Query:
source="web_logs" AND uri="/admin.php" AND (param="*..*" OR param="*../*" OR param="/*")