Title: SQL injection & Cross-site scripting in CMS Flex
Credit: Bilal KARDADOU
Vulnerability: SQL injection & Cross-Site scripting
Vulnerable version: Flex Version 0.7.2
Vendor: MBL Solutions Ltd
Vendor URL: http://www.mblsolutions.co.uk/
Product: FLEX CMS "THE INTUITIVE CONTENT MANAGEMENT SYSTEM"
Product URL: http://www.mblsolutions.co.uk/content-management-system.html



Product & Service Introduction:
===============================
MBLS Flex, is our own easy to use Content Management System (CMS).

Feature rich and reliable, itas being used by some of the UKas biggest
brands. It uses a simple approach to create pages or edit content and
pictures throughout the site.

MBLS Flex then does the hard bit and converts this into code for you. So it
takes literally minutes to make amends.

(Copy of the Vendor Homepage:
http://www.mblsolutions.co.uk/content-management-system.html )


Technical Details & Description:
================================
A remote sql injection web vulnerability has been discovered  in the
official Flex CMS Version 0.7.2  content management system.
The web vulnerability allows remote attackers to execute own malicious sql
commands to compromise the application or dbms.

The sql injection vulnerability is located in the `email` parameter of the
`email=admin@exemple` module POST method request.
Remote attackers are able to execute own sql commands by usage of an
insecure POST method request through the vulnerable
parameter of the own application. The attack vector of the vulnerability is
application-side and the request method to
inject is POST. The security vulnerability in the content management system
is a classic select remote sql-injection.


http://www.TARGET.com/admin/index.php
email='[SQL injection] & [Cross-site scripting]&password=admin&login=login

Security Risk:
==============
The security risk of the sql-injection vulnerability in the Flex CMS
web-application is estimated as high.



---tables from database ---
select datacapture_fields
select datacapture_field_options
select datacapture_field_types
select datacapture_forms
select flex_components
select flex_config
select flex_content
select flex_menus
select flex_menu_items
select flex_positions
select flex_sections
select flex_statistics
select flex_templates
select flex_users
select photogallery_albums
select photogallery_config
select photogallery_images
select search_config
select search_statistics

---PoC---
http://prntscr.com/ebloz4
http://prntscr.com/eblq5g
http://prntscr.com/eblsv8
http://prntscr.com/ebltf8
http://prntscr.com/eblu5r

Bilal KARDADOU - ( https://www.linkedin.com/in/bilal-kardadou-21a000127)
-- 
*Bilal Kardadou*
IT Security Consultant
*E* : b.kardadou@capvalue.ma | *E* : bilalkardadou@gmail.com |