TUCoPS :: Web :: PHP :: bt214.txt

Remote code execution in ttCMS <=v2.3

Advisory name: Remote code execution in ttCMS 2.2.0/2.2.1
Application: ttCMS v2.3 (and older versions)
Vendor: www.ttcms.com
Status: Vendor was contacted but didn't reply - after posting about another
hole on his forums, my account was banned
Impact: Attacker can execute arbitrary php code 
Platform(s): Unix 

Technical description:

Everybody can inject PHP code in ttCMS through the file "header.php"
which can be found in the directory admin/templates/

(Line #002) if ($HTTP_COOKIE_VARS["ttcms_user_admin"] > 0) {
(Line #003)  include_once("$admin_root/templates/header.inc.php");
(Line #004) } else {
(Line #005)  header("Location: $admin_root_url/login.php");
(Line #006)  exit;
(Line #007) }

all you have to do is to send a fake cookie containing


(this can easily be done by using a tool like Proxomitron or

In order to exploit this vulnerability, you have to create a 
file "templates/header.inc.php" on your own webserver,
which contains the  code you want to execute on the target-system.

If you now call the file "header.php" like this:


the code in "templates/header.inc.php" on your own webserver will be 
injected. (of course, PHP Execution must be disabled on your machine or
you must use a ftp-Server to store the file you want to inject)

Run ttCMS on a secure environment.
Disable register_globals in php.ini
Update to a newer version of ttCMS (currently, none exists)

+++ GMX - Mail, Messaging & more  http://www.gmx.net +++
Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage!

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH