Home page logo

bugtraq logo Bugtraq mailing list archives

More vulnerabilities in ttForum/ttCMS -> SQL injection
From: ScriptSlave () gmx net
Date: Tue, 20 May 2003 19:36:33 +0200 (MEST)

Advisory name: SQL Injection-Bug in ttForum (all versions)
Application: ttForum - all versions
Vendor: www.ttforum.com
Status: Vendor of ttForum was contacted but didn't reply
Impact: Attacker can get Administrator-rights on forum
Platform(s): any

Technical description:

Everybody can inject SQL code in ttForum through the Profile-page if the
server is running PHP with "magic_quotes_gpc = off". All you have to do 
is to create an account and go to your Instant-Messages Screen. There you 
click on "Preferences".

Normally, the URL to that scrren looks like this:


Now you go to the Ignorelist-Textfield and enter


into it. After clicking on "Save Preferences" your account is upgraded to be
an Administrator giving you full access to all Forum-Settings. The really
dangerous thing about this hole is, that a hacker that gains Admin-Rights
at the Forums can allow uploading of PHP-Files and is able to execute any 
code he wants to on the target system using the Upload-Feature!!!

ATTENTION!!! The current version of YaBB SE (where ttForum is derived
from) is NOT vulnerable!!! 

BE CAREFUL!!! ttCMS until V2.3 (http://www.ttcms) is also vulnerable,
ttForum is shipped with the ttCMS default-setup!

Enable magic_quotes_gpc in php.ini
Upgrade to a newer version of ttForum (none  available, yet)

+++ GMX - Mail, Messaging & more  http://www.gmx.net +++
Bitte l├Ącheln! Fotogalerie online mit GMX ohne eigene Homepage!

  By Date           By Thread  

Current thread:
  • More vulnerabilities in ttForum/ttCMS -> SQL injection ScriptSlave (May 20)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]