Advisory name: SQL Injection-Bug in ttForum (all versions) Application: ttForum - all versions Vendor: www.ttforum.com Status: Vendor of ttForum was contacted but didn't reply Impact: Attacker can get Administrator-rights on forum Platform(s): any Technical description: ---------------------- Everybody can inject SQL code in ttForum through the Profile-page if the server is running PHP with "magic_quotes_gpc = off". All you have to do is to create an account and go to your Instant-Messages Screen. There you click on "Preferences". Normally, the URL to that scrren looks like this: ------------------------------------------ http://domain.tld/board/index.php?action=imprefs ------------------------------------------ Now you go to the Ignorelist-Textfield and enter ------------------------------------------ ',memberGroup='Administrator ------------------------------------------ into it. After clicking on "Save Preferences" your account is upgraded to be an Administrator giving you full access to all Forum-Settings. The really dangerous thing about this hole is, that a hacker that gains Admin-Rights at the Forums can allow uploading of PHP-Files and is able to execute any code he wants to on the target system using the Upload-Feature!!! ATTENTION!!! The current version of YaBB SE (where ttForum is derived from) is NOT vulnerable!!! BE CAREFUL!!! ttCMS until V2.3 (http://www.ttcms) is also vulnerable, because ttForum is shipped with the ttCMS default-setup! Recommendations: ---------------- Enable magic_quotes_gpc in php.ini Upgrade to a newer version of ttForum (none available, yet) -- +++ GMX - Mail, Messaging & more http://www.gmx.net +++ Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage!
