Vulnerability: File upload
CVSS 3.x Base Score: 9.8 CRITICAL
qdPM is a free web-based project management tool suitable for a small team working on multiple projects. It is fully configurable. You can easy manage Projects, Tasks and People. Customers interact using a Ticket System that is integrated into Task management.
In qdPM, you can create a new user and select his/her group, upload profile photo etc. During uploading profile photo for the user, qdPM doesn’t accept the “php” files. If you change the “Content-Type” from “application/x-php” to “image/gif”, qdPM throw an exception but you don’t need to mind it, “php” file is uploaded to uploads directory before throwing the exception. Now, all you have to do is going to the “uploads/users” directory and executing the shell.
What if we can’t list the uploads directory, how can we execute the shell? As you can see above, we have a problem. Qdpm adding numbers in front of the file. Actually, I didn’t look at the code yet, (I’ll edit this part, if I look at the source code.) but probably this part of the file name is about the time. If it’s not about the time, you can just do brute force on the file name using numbers between 100000 to 999999 because it’s just doing cycle between 100000 to 999999. I’ll probably share an exploit for this after program is patched.