Code Injection in quickbox/qb


Reported on

Dec 8th 2021


While this is a theoretical finding the code seems to be vulnerable to Remote Code Execution

Proof of Concept Description

At line 406 you can see the following code:

$process = $_GET['serviceenable'];

This means we can do /dashboard/inc/config.php?serviceenable=ourvalue

Now between line 406 and 448 we can see that the values which are accepted are predefined except the 'else' statement.

This uses the following code:

  shell_exec("sudo systemctl enable $process@$username");
  shell_exec("sudo systemctl start $process@$username");

There are 3 things to note here:

  1. the shell_exec command is used which grants wathever value is used to execute system commands
  2. the sudo command is executed (assuming it has permissions to run systemctl without prompting for credentials this could lead to privilege escalation
  3. the parameter $process is parsing a shell command unsanitized / unescaped to the value through a GET parameter, this is dangerous as it allows user supplied input to control the execution flow.


Privilege Escalation & Remote Code Execution


You would want to use escapeshellarg() to sanitize the $process parameter. Example: $process = escapeshellarg($_GET['serviceenable']);

CVE Information

On approval of this vulnerability and confirmatin of a fix a CVE number will be requested


We are processing your report and will contact the quickbox/qb team within 24 hours. 2 years ago
WebSec B.V. submitted a
2 years ago
We created a GitHub Issue asking the maintainers to create a 2 years ago
WebSec B.V.
2 years ago


Another RCE has been discovered in another parameter in QuickBox Pro v2.4.8

Both QuickBox Pro v2.4.8 and QuickBox CE v2.5.8 are vulnerable to RCE, just a different parameter.

2 CVE's will be requested in the coming days, I will also be developing a PoC Exploit for this as a means to get a better understanding of the finding.

WebSec B.V.
2 years ago


Meanwhile you can check out the PoC video here:

WebSec B.V.
2 years ago



  • Exploit code available as 0-day (I will provide you with it on request)
We have contacted a member of the quickbox/qb team and are waiting to hear back 2 years ago
WebSec B.V.
2 years ago


I just noticed that this issue has been discovered before me, it has just not been patched. This is not a 0day but a 1-day unfortunatley, finding can be closed.

WebSec B.V.
2 years ago


I did submit a patch for it in github... however I am not sure the coders will do something with it.

quickbox/qb maintainer
2 years ago


I am currently patching this up on the Community Edition on GitHub. I had not seen a submitted PR for this on the QB Github. The project is no longer maintained full time as I focus developments on Pro. However, I will be working to resolve these findings as soon as possible. Thank you again for your findings, as well as your discretion.

WebSec B.V.
2 years ago


Ah, thank you so much for the feedback. You are welcome. I am happy to see that this issue will be resolved, If I can help you with something please do let me know. :)

We have sent a follow up to the quickbox/qb team. We will try again in 4 days. 2 years ago
We have sent a second follow up to the quickbox/qb team. We will try again in 7 days. 2 years ago
We have sent a third follow up to the quickbox/qb team. We will try again in 14 days. 2 years ago
quickbox/qb maintainer validated this vulnerability 2 years ago
websecnl has been awarded the disclosure bounty
The fix bounty is now up for grabs
Jamie Slome marked this as fixed in 2.6.0 with commit 61c42a 2 years ago
WebSec B.V. has been awarded the fix bounty
to join this conversation