Title: SQL injection & Cross-site scripting in CMS Flex Credit: Bilal KARDADOU Vulnerability: SQL injection & Cross-Site scripting Vulnerable version: Flex Version 0.7.2 Vendor: MBL Solutions Ltd Vendor URL: http://www.mblsolutions.co.uk/ Product: FLEX CMS "THE INTUITIVE CONTENT MANAGEMENT SYSTEM" Product URL: http://www.mblsolutions.co.uk/content-management-system.html Product & Service Introduction: =============================== MBLS Flex, is our own easy to use Content Management System (CMS). Feature rich and reliable, itas being used by some of the UKas biggest brands. It uses a simple approach to create pages or edit content and pictures throughout the site. MBLS Flex then does the hard bit and converts this into code for you. So it takes literally minutes to make amends. (Copy of the Vendor Homepage: http://www.mblsolutions.co.uk/content-management-system.html ) Technical Details & Description: ================================ A remote sql injection web vulnerability has been discovered in the official Flex CMS Version 0.7.2 content management system. The web vulnerability allows remote attackers to execute own malicious sql commands to compromise the application or dbms. The sql injection vulnerability is located in the `email` parameter of the `email=admin@exemple` module POST method request. Remote attackers are able to execute own sql commands by usage of an insecure POST method request through the vulnerable parameter of the own application. The attack vector of the vulnerability is application-side and the request method to inject is POST. The security vulnerability in the content management system is a classic select remote sql-injection. http://www.TARGET.com/admin/index.php email='[SQL injection] & [Cross-site scripting]&password=admin&login=login Security Risk: ============== The security risk of the sql-injection vulnerability in the Flex CMS web-application is estimated as high. ---tables from database --- select datacapture_fields select datacapture_field_options select datacapture_field_types select datacapture_forms select flex_components select flex_config select flex_content select flex_menus select flex_menu_items select flex_positions select flex_sections select flex_statistics select flex_templates select flex_users select photogallery_albums select photogallery_config select photogallery_images select search_config select search_statistics ---PoC--- http://prntscr.com/ebloz4 http://prntscr.com/eblq5g http://prntscr.com/eblsv8 http://prntscr.com/ebltf8 http://prntscr.com/eblu5r Bilal KARDADOU - ( https://www.linkedin.com/in/bilal-kardadou-21a000127) -- *Bilal Kardadou* IT Security Consultant *E* : b.kardadou@capvalue.ma | *E* : bilalkardadou@gmail.com | # Iranian Exploit DataBase = http://IeDb.Ir [2017-02-24]