Code Injection in quickbox/qb


Reported on

Dec 8th 2021


While this is a theoretical finding the code seems to be vulnerable to Remote Code Execution

Proof of Concept Description

At line 406 you can see the following code:

$process = $_GET['serviceenable'];

This means we can do /dashboard/inc/config.php?serviceenable=ourvalue

Now between line 406 and 448 we can see that the values which are accepted are predefined except the 'else' statement.

This uses the following code:

  shell_exec("sudo systemctl enable $process@$username");
  shell_exec("sudo systemctl start $process@$username");

There are 3 things to note here:

  1. the shell_exec command is used which grants wathever value is used to execute system commands
  2. the sudo command is executed (assuming it has permissions to run systemctl without prompting for credentials this could lead to privilege escalation
  3. the parameter $process is parsing a shell command unsanitized / unescaped to the value through a GET parameter, this is dangerous as it allows user supplied input to control the execution flow.


Privilege Escalation & Remote Code Execution


You would want to use escapeshellarg() to sanitize the $process parameter. Example: $process = escapeshellarg($_GET['serviceenable']);

CVE Information

On approval of this vulnerability and confirmatin of a fix a CVE number will be requested


We are processing your report and will contact the quickbox/qb team within 24 hours. a year ago submitted a
a year ago
We created a GitHub Issue asking the maintainers to create a a year ago
a year ago


Another RCE has been discovered in another parameter in QuickBox Pro v2.4.8

Both QuickBox Pro v2.4.8 and QuickBox CE v2.5.8 are vulnerable to RCE, just a different parameter.

2 CVE's will be requested in the coming days, I will also be developing a PoC Exploit for this as a means to get a better understanding of the finding.
a year ago


Meanwhile you can check out the PoC video here:
a year ago



  • Exploit code available as 0-day (I will provide you with it on request)
We have contacted a member of the quickbox/qb team and are waiting to hear back a year ago
a year ago


I just noticed that this issue has been discovered before me, it has just not been patched. This is not a 0day but a 1-day unfortunatley, finding can be closed.
a year ago


I did submit a patch for it in github... however I am not sure the coders will do something with it.

quickbox/qb maintainer
a year ago


I am currently patching this up on the Community Edition on GitHub. I had not seen a submitted PR for this on the QB Github. The project is no longer maintained full time as I focus developments on Pro. However, I will be working to resolve these findings as soon as possible. Thank you again for your findings, as well as your discretion.
a year ago


Ah, thank you so much for the feedback. You are welcome. I am happy to see that this issue will be resolved, If I can help you with something please do let me know. :)

We have sent a follow up to the quickbox/qb team. We will try again in 7 days. a year ago
We have sent a second follow up to the quickbox/qb team. We will try again in 10 days. a year ago
We have sent a third and final follow up to the quickbox/qb team. This report is now considered stale. a year ago
quickbox/qb maintainer validated this vulnerability a year ago has been awarded the disclosure bounty
The fix bounty is now up for grabs
Jamie Slome marked this as fixed in 2.6.0 with commit 61c42a a year ago has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation