lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Tue, 20 May 2003 19:36:33 +0200 (MEST)
From: ScriptSlave@....net
To: bugtraq@...urityfocus.com
Subject: More vulnerabilities in ttForum/ttCMS -> SQL injection


Advisory name: SQL Injection-Bug in ttForum (all versions)
Application: ttForum - all versions
Vendor: www.ttforum.com
Status: Vendor of ttForum was contacted but didn't reply
Impact: Attacker can get Administrator-rights on forum
Platform(s): any

Technical description:
----------------------

Everybody can inject SQL code in ttForum through the Profile-page if the
server is running PHP with "magic_quotes_gpc = off". All you have to do 
is to create an account and go to your Instant-Messages Screen. There you 
click on "Preferences".

Normally, the URL to that scrren looks like this:

------------------------------------------
http://domain.tld/board/index.php?action=imprefs
------------------------------------------

Now you go to the Ignorelist-Textfield and enter

------------------------------------------
',memberGroup='Administrator
------------------------------------------

into it. After clicking on "Save Preferences" your account is upgraded to be
an Administrator giving you full access to all Forum-Settings. The really
dangerous thing about this hole is, that a hacker that gains Admin-Rights
at the Forums can allow uploading of PHP-Files and is able to execute any 
code he wants to on the target system using the Upload-Feature!!!

ATTENTION!!! The current version of YaBB SE (where ttForum is derived
from) is NOT vulnerable!!! 

BE CAREFUL!!! ttCMS until V2.3 (http://www.ttcms) is also vulnerable,
because
ttForum is shipped with the ttCMS default-setup!

Recommendations:
----------------
Enable magic_quotes_gpc in php.ini
Upgrade to a newer version of ttForum (none  available, yet)

-- 
+++ GMX - Mail, Messaging & more  http://www.gmx.net +++
Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage!

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ