| VID |
210106 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The XOOPS program is vulnerable to an SQL injection vulnerability via the 'article.php' script in the Article module. XOOPS is a dynamic object oriented based open source portal system written in PHP. Article is a third-party module for XOOPS. XOOPS Article Module could allow a remote attacker to execute arbitrary SQL commands, caused by improper filtering of user-supplied input passed to the 'id' parameter of the 'modules/articles/article.php' script. Regardless of PHP's 'magic_quotes_gpc' setting, a remote attacker could exploit this vulnerability to pass malicious input to database queries, potentially resulting in data exposure, modification of the query logic, or even data modification or attacks against the database itself.
* References:
http://www.securityfocus.com/archive/1/archive/1/491150/100/0/threaded
* Platforms Affected:
XOOPS, Article module for XOOPS
Any operating system Any version |
| Recommendation |
No upgrade or patch available as of June 2014.
Upgrade to a fixed version of XOOPS Dictionary module, available from the XOOPS Web site at http://www.xoops.org/modules/repository/viewcat.php?list=A |
| Related URL |
CVE-2008-2094 (CVE) |
| Related URL |
28879 (SecurityFocus) |
| Related URL |
41943 (ISS) |
|
