| VID |
210051 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The XOOPS program is vulnerable to an SQL injection vulnerability via the 'modules/jobs/index.php' script. XOOPS is a dynamic object oriented based open source portal system written in PHP. XOOPS Jobs Module version 2.4 and earlier versions are vulnerable to an SQL injection vulnerability, caused by improper validation of user-supplied input passed to the 'cid' parameter of the 'modules/jobs/index.php' script. Regardless of PHP's 'magic_quotes_gpc' setting, this vulnerability could permit a remote attacker to pass malicious input to database queries, potentially resulting in data exposure, modification of the query logic, or even data modification or attacks against the database itself.
* References:
http://www.milw0rm.com/exploits/3672
* Platforms Affected:
Xoops Jobs Module version 2.4 and earlier versions
Any operating system Any version |
| Recommendation |
No upgrade or patch available as of June 2014.
Upgrade to a fixed version of Xoops Jobs Module greater than 2.4, when new fixed version becomes available from the Xoops Jobs Module Download Web page at http://dev.xoops.org/modules/xfmod/project/showfiles.php?group_id=1259&release_id=703 |
| Related URL |
CVE-2007-2370 (CVE) |
| Related URL |
23344 (SecurityFocus) |
| Related URL |
33468 (ISS) |
|
