From: "Omid" <omid@hackers.ir.>
To: <bugtraq@securityfocus.com.>
Subject: Sql injection bugs in Xoops 2.0.16 + Weblinks module
Date: Sun, 04 Feb 2007 20:38:45 +0330
User-Agent: Hackers.ir/1.0
MIME-Version: 1.0
Content-Type: text/plain;charset=utf-8
Content-Transfer-Encoding: 8bit
Importance: Normal
X-Priority: 3 (Normal)
X-Mailer: Hackers.ir/1.0
X-Virus-Scanned: antivirus-gw at tyumen.ru
Hi,
These bugs were published in full-disclosure about 2 weeks ago (CVE-2007-0377).
There is a sql injection bug in Xoops 2.0.16 core (and maybe other versions) in
admin section:
The 'id' parameter in "get()" function is not checked against sql injections :
File kernel/group.php, Line 94 :
:: function &get($id)
:: {
:: $group = false;
:: if (intval($id) > 0) {
$sql = 'SELECT * FROM '.$this->db->prefix('groups').' WHERE groupid='.$id;
This one doesnt seem to be critical .
In "Weblinks" module :
The 'lid' parameter in "deleteByLid()" function is not
checked against sql injections :
File class/table_broken.php, Line 58 :
:: function deleteByLid($lid)
:: {
$sql = "DELETE FROM $this->table WHERE lid=$lid";
:: return $this->query_false($sql);
:: }
Also 3 other sql injections exist which can be exploitable and are not
discribed here . The new version is not released yet .
The original advisory (in Persian) is located at :
http://www.hackers.ir/advisories/festival.txt
- Omid
