/ -[061124a]- \
| deV!L`z Clanportal - SQL Injection |
S Y N O P S I S /
-( access: remote severity: high )-
An SQL injection has been found in deV!L`z Clanportal, which allows any logged
in user to grant herself admin privileges in the system.
B A C K G R O U N D /
deV!L`z Clanportal (short "DZCP") is a suite of PHP scripts that allow anybody
to create a feature-rich website for her online gaming clan.
A F F E C T E D V E R S I O N S /
verified on: 1.3.6
possibly vulnerable: <= 1.3.6
fixed in: 126.96.36.199
I M P A C T /
The attacker gains admin privileges in DZCP and is thus able to create and
download a MySQL dump, upload files, post news, delete users etc.
P R E R E Q U I S I T I E S /
o the attacker needs to have an user account in the suite and be logged in
o php.ini directive "magic_quotes_gpc" has to be disabled
D E S C R I P T I O N /
sites/index.php is not escaping the $_GET['show'] parameter, leading to an SQL
injection. This can be used to pass any string to the $where parameter in
DZCP's page() function. page(), in turn, is not checking that parameter,
allowing a second SQL injection in an UPDATE statement on the "users" table to
change arbitrary attributes in the calling user's tuple, including the "level"
attribute, which, set to 4, grants the user administrator privileges.
W O R K A R O U N D /
o Add a mysql_real_escape_string() around the $_GET parameter in the SQL query
o Remove sites/index.php or make it inaccessible.
o Quit using DZCP. I mean it! There are tons of other vulnerabilites just
waiting to be exploited; some of them more severe than this one. IMHO, DZCP
is just a chaotic bunch of vulnerabilities that, by some coincidence, happen
to look like a clan portal.
P R O O F O F C O N C E P T /
Check if magic_quotes_gpc is enabled: