qEngine CMS 6.0.0 Database Backup Disclosure Exploit

Title: qEngine CMS 6.0.0 Database Backup Disclosure Exploit
Advisory ID: ZSL-2014-5172
Type: Local/Remote
Impact: Exposure of Sensitive Information
Risk: (3/5)
Release Date: 25.03.2014
Summary
qEngine (qE) is a lightweight, fast, yet feature packed CMS script to help you building your site quickly. Using template engine to separate the php codes from the design, you don't need to touch the codes to design your web site. qE is also expandable by using modules.
Description
qEngine CMS stores database backups using the Backup DB tool with a predictable file name inside the '/admin/backup' directory as 'Full Backup YYYYMMDD.sql' or 'Full Backup YYYYMMDD.gz', which can be exploited to disclose sensitive information by downloading the file. The '/admin/backup' is also vulnerable to directory listing by default.
Vendor
C97net - http://www.c97.net
Affected Version
6.0.0 and 4.1.6
Tested On
Apache/2.4.7 (Win32)
PHP/5.5.6
MySQL 5.6.14
Vendor Status
[07.03.2014] Vulnerability discovered.
[10.03.2014] Vendor contacted.
[11.03.2014] Vendor responds asking more details.
[11.03.2014] Sent details to the vendor.
[12.03.2014] Working with the vendor.
[13.03.2014] Vendor working on a new version.
[21.03.2014] Asked vendor for status update.
[21.03.2014] Vendor promises patch release in April.
[25.03.2014] Public security advisory released.
[31.05.2014] Vendor releases version 7 to address this issue.
PoC
qenginecms_dbd.php
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5176.php
[2] http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5180.php
[3] http://cxsecurity.com/issue/WLB-2014030188
[4] http://packetstormsecurity.com/files/125853
[5] http://www.exploit-db.com/exploits/32511/
[6] http://www.securityfocus.com/bid/66395
[7] http://osvdb.org/show/osvdb/104919
[8] http://www.c97.net/news/security-issues-with-qengine-family.php
[9] https://secunia.com/advisories/57529/
[10] http://www.c97.net/news/qengine-7-is-ready-to-download.php
Changelog
[25.03.2014] - Initial release
[26.03.2014] - Added reference [6] and [7]
[27.03.2014] - Added reference [8]
[31.03.2014] - Added reference [9]
[31.05.2014] - Added vendor status and reference [10]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk