EXPLOITS

ttCMS 2.2/2.3 / ttForum 1.1 - 'index.php' Instant-Messages Preferences SQL Injection

Author: ScriptSlave@gmx.net
type: webapps
platform: php
port: 
date_added: 2003-05-20  
date_updated: 2012-11-11  
verified: 1  
codes:   
tags:   
aliases:   
screenshot_url:   
application_url:   

raw file: 22618.txt  

source: https://www.securityfocus.com/bid/7634/info

A problem with ttCMS/ttForum could make it possible for a remote user to launch SQL injection attacks.

It has been reported that a problem exists in the Instant-Messages script distributed as part of the software. Due to insufficient sanitizing of input, it is possible for a remote user to inject arbitrary SQL into the database used by the web forums.

It should be noted that the current version of YaBB SE, the Forum that ttForum was derived from, is not affected by this vulnerability.

http://www.example.org/board/index.php?action=imprefs

Go to the Ignorelist-Textfield and enter:

',memberGroup='Administrator