Title: Blind boolean sql injection vulnerability in ResourceSpace CMS Author: William F. Reyor III Contact: opticfiber@gmail.com Published: August 22 2015 Vendor: Montala Limited Vendor url: www.resourcespace.org Software: ResourceSpace Digital Asset Management Software Versions: 7.3.7009 and prior Status: Unpatched Vulnerable scripts: /plugins/feedback/pages/feedback.php Description: There is blind boolean SQL injection vulnerability in the user cookie on the /plugins/feedback/pages/feedback.php application. This can be validated with sqlmap with the following flags, giving a full sql shell: ./sqlmap.py -u "http://<hostname>/plugins/feedback/pages/feedback.php" --cookie="user=test" --level=2 --technique=B --sql-shell This also allows an attacker to execute arbitrary queries such as 'select username, password, usergroup from user -- William Reyor *"L'essentiel est invisible pour les yeux"*