[31905] in bugtraq
DCP Portal - 5.5 holes
daemon@ATHENA.MIT.EDU (Lifo Fifo)
Wed Oct 1 12:22:41 2003
Date: 1 Oct 2003 12:08:25 -0000
Message-ID: <20031001120825.7739.qmail@sf-www1-symnsj.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: Lifo Fifo <lifofifo20@yahoo.com>
To: bugtraq@securityfocus.com
Never use this product if you have turned off magic_quotes_gpc. And this product won't work anyway if you have turned off register_globals.
All the files in the product, dont check for integrity of variables. You can easily exploit this using some SQL Injection techniques. For example, if you want to get username/password of all the users, you can exploit advertiser.php.
Open it like,
http://localhost/dcp/advertiser.php?adv_logged=1&username=1&password=qwe' or 1=1 UNION select uid,name,password,surname,job,email from dcp5_members into outfile 'c:/apache2/htdocs/dcpad.txt
This is for windows, if web-server is running on *nix, then you could enter something like,
http://localhost/dcp/advertiser.php?adv_logged=1&username=1&password=qwe' or 1=1 UNION select uid,name,password,surname,job,email from dcp5_members into outfile '/var/www/html/dcpad.txt
In this cases, you will need to enter the absolute path. For that, run the follwing
http://localhost/dcp/advertiser.php?adv_logged=1&username=1&password=' and that will show the path to the sever if they have turned on display_errors in php.ini.
That's all ! Notice that here we are using UNION function in query. For that, the host should be running version MySQL 4.x. Well, if it's not running 4.x, No problem, we have another file !
This time it's lostpassword.php.
Open it like,
http://localhost/dcp/lostpassword.php?action=lost&email=fake' or 1=1--'
This will really cause some damage. It will reset password of everyone. Everyone will get as many mails as the number of users. And evryone's password will be the one provided in the last email.
I didn't have time to check if there was injection possible with some numeric field. If it's there, one can launch select-fish attacks, which would work even in case of magic_quotes_gpc is on.
Fix : Insteading of fixing it, simply turn on magic_quotes_gpc. Otherwise it will take you as much time as they took in making DCP Portal.
-lifofifo
http://www.hackingzone.org/
