Xoops 2.4.3
Vulnerability description:
Xoops is a popular dynamic web content management system, which is written in Object-Oriented PHP.
Xoops uses the unlink function to delete files on the Web server. This function is used for user input:
Unlink ($ oldsmile_path );
Although the filter functions such as str_replace are used:
$ Oldsmile_path = str_replace ("\","/",
Realpath (XOOPS_UPLOAD_PATH./. trim ($ _ POST [old_smile]);
This filtering is not strong enough. Users can submit malicious requests to delete specified files.
Xoops uses the $ redirect variable in user input without any filtering or restriction:
$ Redirect = trim ($ _ GET [xoops_redirect]);
And:
Header (Location:. $ redirect );
You can inject malicious code into the request header, and then execute the injected code when you access the page again. <* Reference
CodeScan Labs (advisories@codescan.com)
Http://marc.info /? L = bugtraq & m = 126392239411722 & w = 2
*>
Vendor patch:
Xoops
-----
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:
Http://xoops.sourceforge.net/