########################## www.BugReport.ir #######################################
#
#		AmnPardaz Security Research Team
#
# Title: QuickerSite Multiple Vulnerabilities 
# Vendor: www.quickersite.com
# Vulnerable Version: 1.8.5
# Exploit: Available
# Impact: High
# Fix: N/A
###################################################################################

####################
1. Description:
####################
	QuickerSite is a Content Management System for Windows Servers. It is written in ASP/VBScript with an optional pinch of ASP.NET for true image-resizing capabilities. QuickerSite ships with an Access database, with the option to upsize to SQL Server 2000/2005 for busy sites (>1000 visitors/day). 
####################
2. Vulnerabilities:
####################
	2.1. Insecure Direct Object Reference [in "bs_login.asp"]. Everyone can change admin password.
		2.1.1. Exploit:
				Check the exploit section.
	2.2. Insecure Direct Object Reference [in "bs_login.asp"]. Everyone can edit all the site info., such as admin email address.
		2.2.1. Exploit:
				Check the exploit section.
	2.3. Insecure Direct Object Reference [in "bs_login.asp"]. Everyone can edit all the site design. (Also, all the site settings can be changed by other parameters)
		2.3.1. Exploit:
				Check the exploit section.
	2.4. Failure to Restrict URL Access [in "mailPage.asp"]. Everyone can mailbomb others.
		2.4.1. Exploit:
				Check the exploit section.
	2.5. Cross Site Scripting (XSS) [in "showThumb.aspx"]. Reflected XSS attack by circumventing the ASP.Net XSS denier (Path disclosure on the open error mode).
		2.5.1. Exploit:
				Check the exploit section.
	2.6. Cross Site Scripting (XSS), Failure to Restrict URL Access [in "process_send.asp"]. Redirect Reflected XSS Attack In "SB_redirect" parameter. Reflected XSS, Content Spoofing In "SB_feedback" parameter. Everyone can mailbomb others.
		2.6.1. Exploit:
				Check the exploit section.
	2.7. Cross Site Scripting (XSS) [in "picker.asp"]. Reflected XSS attack in "paramCode" and "cColor" parameters.
		2.7.1. Exploit:
				Check the exploit section.
	2.8. Cross Site Scripting (XSS) [in "rss.asp"]. Stored XSS attack in "X-FORWARDED-FOR","QueryString","Referer"" header parameter. Attacker can execute an XSS against Admin.
		2.8.1. Exploit:
				Check the exploit section.
	2.9. File uploading is allowed by FCKEDITOR.
		2.9.1. Exploit:
				Check the exploit section.
	2.10. Injection Flaws [in "/asp/includes/contact.asp"]. SQL Injection on "check" function in "sNickName" parameter.
		2.10.1. Exploit:
				Check the exploit section.
####################
3. Exploits:
####################
	Original Exploit URL: http://bugreport.ir/index.php?/39/exploit
####################
4. Solution:
####################
	Edit the source code to ensure that inputs are properly sanitized for 3.5, 3.6, 3.7, 3.8, 3.10, And use access control for others.
	Note: First check the vendor and look for the patch.
####################
- Credit :
####################
AmnPardaz Security Research & Penetration Testing Group
Contact: admin[4t}bugreport{d0t]ir
WwW.BugReport.ir
WwW.AmnPardaz.com