ttCMS 2.2/2.3 / ttForum 1.1 - 'index.php' Instant-Messages Preferences SQL Injection

EDB-ID:

22618

CVE:

N/A




Platform:

PHP

Date:

2003-05-20


source: https://www.securityfocus.com/bid/7634/info

A problem with ttCMS/ttForum could make it possible for a remote user to launch SQL injection attacks.

It has been reported that a problem exists in the Instant-Messages script distributed as part of the software. Due to insufficient sanitizing of input, it is possible for a remote user to inject arbitrary SQL into the database used by the web forums.

It should be noted that the current version of YaBB SE, the Forum that ttForum was derived from, is not affected by this vulnerability. 

http://www.example.org/board/index.php?action=imprefs

Go to the Ignorelist-Textfield and enter:

',memberGroup='Administrator