MBLS Flex CMS 0.7.2 SQL Injection / Cross Site Scripting

`Title: SQL injection & Cross-site scripting in CMS Flex  
Credit: Bilal KARDADOU  
Vulnerability: SQL injection & Cross-Site scripting  
Vulnerable version: Flex Version 0.7.2  
Vendor: MBL Solutions Ltd  
Vendor URL: http://www.mblsolutions.co.uk/  
Product: FLEX CMS "THE INTUITIVE CONTENT MANAGEMENT SYSTEM"  
Product URL: http://www.mblsolutions.co.uk/content-management-system.html  
  
  
  
Product & Service Introduction:  
===============================  
MBLS Flex, is our own easy to use Content Management System (CMS).  
  
Feature rich and reliable, itas being used by some of the UKas biggest  
brands. It uses a simple approach to create pages or edit content and  
pictures throughout the site.  
  
MBLS Flex then does the hard bit and converts this into code for you. So it  
takes literally minutes to make amends.  
  
(Copy of the Vendor Homepage:  
http://www.mblsolutions.co.uk/content-management-system.html )  
  
  
Technical Details & Description:  
================================  
A remote sql injection web vulnerability has been discovered in the  
official Flex CMS Version 0.7.2 content management system.  
The web vulnerability allows remote attackers to execute own malicious sql  
commands to compromise the application or dbms.  
  
The sql injection vulnerability is located in the `email` parameter of the  
`email=admin@exemple` module POST method request.  
Remote attackers are able to execute own sql commands by usage of an  
insecure POST method request through the vulnerable  
parameter of the own application. The attack vector of the vulnerability is  
application-side and the request method to  
inject is POST. The security vulnerability in the content management system  
is a classic select remote sql-injection.  
  
  
http://www.TARGET.com/admin/index.php  
email='[SQL injection] & [Cross-site scripting]&password=admin&login=login  
  
Security Risk:  
==============  
The security risk of the sql-injection vulnerability in the Flex CMS  
web-application is estimated as high.  
  
  
  
---tables from database ---  
select datacapture_fields  
select datacapture_field_options  
select datacapture_field_types  
select datacapture_forms  
select flex_components  
select flex_config  
select flex_content  
select flex_menus  
select flex_menu_items  
select flex_positions  
select flex_sections  
select flex_statistics  
select flex_templates  
select flex_users  
select photogallery_albums  
select photogallery_config  
select photogallery_images  
select search_config  
select search_statistics  
  
---PoC---  
http://prntscr.com/ebloz4  
http://prntscr.com/eblq5g  
http://prntscr.com/eblsv8  
http://prntscr.com/ebltf8  
http://prntscr.com/eblu5r  
  
Bilal KARDADOU - ( https://www.linkedin.com/in/bilal-kardadou-21a000127)  
--   
*Bilal Kardadou*  
IT Security Consultant  
*E* : [email protected] | *E* : [email protected] |  
`