Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Web BBS :: etc :: bt223.txt

ttForum/ttCMS -> SQL injection

Advisory name: SQL Injection-Bug in ttForum (all versions)
Application: ttForum - all versions
Status: Vendor of ttForum was contacted but didn't reply
Impact: Attacker can get Administrator-rights on forum
Platform(s): any

Technical description:

Everybody can inject SQL code in ttForum through the Profile-page if the
server is running PHP with "magic_quotes_gpc = off". All you have to do 
is to create an account and go to your Instant-Messages Screen. There you 
click on "Preferences".

Normally, the URL to that scrren looks like this:


Now you go to the Ignorelist-Textfield and enter


into it. After clicking on "Save Preferences" your account is upgraded to be
an Administrator giving you full access to all Forum-Settings. The really
dangerous thing about this hole is, that a hacker that gains Admin-Rights
at the Forums can allow uploading of PHP-Files and is able to execute any 
code he wants to on the target system using the Upload-Feature!!!

ATTENTION!!! The current version of YaBB SE (where ttForum is derived
from) is NOT vulnerable!!! 

BE CAREFUL!!! ttCMS until V2.3 (http://www.ttcms) is also vulnerable,
ttForum is shipped with the ttCMS default-setup!

Enable magic_quotes_gpc in php.ini
Upgrade to a newer version of ttForum (none  available, yet)

+++ GMX - Mail, Messaging & more +++
Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage!

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH