[<prev] [next>] [day] [month] [year] [list]
Message-ID: <421.1053452193@www68.gmx.net>
Date: Tue, 20 May 2003 19:36:33 +0200 (MEST)
From: ScriptSlave@....net
To: bugtraq@...urityfocus.com
Subject: More vulnerabilities in ttForum/ttCMS -> SQL injection
Advisory name: SQL Injection-Bug in ttForum (all versions)
Application: ttForum - all versions
Vendor: www.ttforum.com
Status: Vendor of ttForum was contacted but didn't reply
Impact: Attacker can get Administrator-rights on forum
Platform(s): any
Technical description:
----------------------
Everybody can inject SQL code in ttForum through the Profile-page if the
server is running PHP with "magic_quotes_gpc = off". All you have to do
is to create an account and go to your Instant-Messages Screen. There you
click on "Preferences".
Normally, the URL to that scrren looks like this:
------------------------------------------
http://domain.tld/board/index.php?action=imprefs
------------------------------------------
Now you go to the Ignorelist-Textfield and enter
------------------------------------------
',memberGroup='Administrator
------------------------------------------
into it. After clicking on "Save Preferences" your account is upgraded to be
an Administrator giving you full access to all Forum-Settings. The really
dangerous thing about this hole is, that a hacker that gains Admin-Rights
at the Forums can allow uploading of PHP-Files and is able to execute any
code he wants to on the target system using the Upload-Feature!!!
ATTENTION!!! The current version of YaBB SE (where ttForum is derived
from) is NOT vulnerable!!!
BE CAREFUL!!! ttCMS until V2.3 (http://www.ttcms) is also vulnerable,
because
ttForum is shipped with the ttCMS default-setup!
Recommendations:
----------------
Enable magic_quotes_gpc in php.ini
Upgrade to a newer version of ttForum (none available, yet)
--
+++ GMX - Mail, Messaging & more http://www.gmx.net +++
Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage!
Powered by blists - more mailing lists