Sql injection in Xoops

2006.08.29
Credit: Omid
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2006-4417
CWE: CWE-Other


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

Hi, There is a sql injection in Xoops 2.0.14 (and maybe before versions) . One of the user inputs, is used in the sql query without proper checking : File /edituser.php, Line 347 : :: if (!empty($_POST['user_avatar'])) { >> $user_avatar = trim($_POST['user_avatar']); :: $criteria_avatar = new CriteriaCompo(new Criteria('avatar_file', $user_avatar)); :: $criteria_avatar->add(new Criteria('avatar_type', "S")); :: $avatars =& $avt_handler->getObjects($criteria_avatar); :: if (!is_array($avatars) || !count($avatars)) { :: $user_avatar = 'blank.gif'; :: } The bug can be critical, so no more info . You can upgrade to 2.0.15 . Also, a simple solution is to change line 348 of /edituser.php, to : $user_avatar = addslashes(trim($_POST['user_avatar'])); The original advisory (in Persian), is located at : http://www.hackers.ir/advisories/xoops.html - Omid


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top