| VID |
210103 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The XOOPS program is vulnerable to an SQL injection vulnerability via the print.php script in the Dictionary module. XOOPS is a dynamic object oriented based open source portal system written in PHP. XFSection is a third-party module for XOOPS. XOOPS Dictionary Module versions 0.70, 0.91, 0.94 and possibly other versions could allow a remote attacker to execute arbitrary SQL commands, caused by improper filtering of user-supplied input passed to the 'id' parameter of the 'print.php' script. Regardless of PHP's 'magic_quotes_gpc' setting, a remote attacker could exploit this vulnerability to pass malicious input to database queries, potentially resulting in data exposure, modification of the query logic, or even data modification or attacks against the database itself.
* References:
http://www.frsirt.com/english/advisories/2008/0907
* Platforms Affected:
XOOPS, Dictionary module for XOOPS 0.70
XOOPS, Dictionary module for XOOPS 0.91
XOOPS, Dictionary module for XOOPS 0.94
Any operating system Any version |
| Recommendation |
No upgrade or patch available as of June 2014.
Upgrade to a fixed version of XOOPS Dictionary module, available from the XOOPS XFsection module Web site at http://www.xoops.org/modules/repository/singlefile.php?cid=100&lid=1331 |
| Related URL |
(CVE) |
| Related URL |
28275 (SecurityFocus) |
| Related URL |
41235 (ISS) |
|
