Sql injection in Xoops

To: <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: Sql injection in Xoops
From: "Omid" <omid@xxxxxxxxxx>
Date: Sat, 26 Aug 2006 01:49:29 +0430
Importance: Normal
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
User-agent: Hackers.ir/1.0

Hi,
There is a sql injection in Xoops 2.0.14 (and maybe before versions) .
One of the user inputs, is used in the sql query without proper checking :

File /edituser.php, Line 347 :
::     if (!empty($_POST['user_avatar'])) {
>>         $user_avatar = trim($_POST['user_avatar']);
::         $criteria_avatar = new CriteriaCompo(new Criteria('avatar_file', 
$user_avatar));
::         $criteria_avatar->add(new Criteria('avatar_type', "S"));
::         $avatars =& $avt_handler->getObjects($criteria_avatar);
::         if (!is_array($avatars) || !count($avatars)) {
::              $user_avatar = 'blank.gif';
::         }

The bug can be critical, so no more info .

You can upgrade to 2.0.15 .
Also, a simple solution is to change line 348 of /edituser.php, to :
        $user_avatar = addslashes(trim($_POST['user_avatar']));

The original advisory (in Persian), is located at :
http://www.hackers.ir/advisories/xoops.html


- Omid

Prev by Date: Sql injection in Mambo & Joomla
Next by Date: AlstraSoft Video Share Enterprise Remote File Include Vulnerability
Previous by thread: Sql injection in Mambo & Joomla
Next by thread: AlstraSoft Video Share Enterprise Remote File Include Vulnerability
Index(es):
- Date
- Thread