Advisory name: SQL Injection-Bug in ttForum (all versions)
Application: ttForum - all versions
Vendor: www.ttforum.com
Status: Vendor of ttForum was contacted but didn't reply
Impact: Attacker can get Administrator-rights on forum
Platform(s): any

Technical description:
----------------------

Everybody can inject SQL code in ttForum through the Profile-page if the
server is running PHP with "magic_quotes_gpc = off". All you have to do 
is to create an account and go to your Instant-Messages Screen. There you 
click on "Preferences".

Normally, the URL to that scrren looks like this:

------------------------------------------
http://domain.tld/board/index.php?action=imprefs
------------------------------------------

Now you go to the Ignorelist-Textfield and enter

------------------------------------------
',memberGroup='Administrator
------------------------------------------

into it. After clicking on "Save Preferences" your account is upgraded to be
an Administrator giving you full access to all Forum-Settings. The really
dangerous thing about this hole is, that a hacker that gains Admin-Rights
at the Forums can allow uploading of PHP-Files and is able to execute any 
code he wants to on the target system using the Upload-Feature!!!

ATTENTION!!! The current version of YaBB SE (where ttForum is derived
from) is NOT vulnerable!!! 

BE CAREFUL!!! ttCMS until V2.3 (http://www.ttcms) is also vulnerable,
because
ttForum is shipped with the ttCMS default-setup!

Recommendations:
----------------
Enable magic_quotes_gpc in php.ini
Upgrade to a newer version of ttForum (none  available, yet)

-- 
+++ GMX - Mail, Messaging & more  http://www.gmx.net +++
Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage!