Related information

Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)

[SA21648] Fotopholder "path" Cross-Site Scripting Vulnerability

[Full-disclosure] [vuln.sg] Cybozu Garoon 2 SQL Injection Vulnerabilities

[Full-disclosure] [vuln.sg] Cybozu Products Arbitrary File Retrieval Vulnerability

eFiction < 2.0.7 Remote Admin Authentication Bypass Vulnerability

From:	Omid <omid_(at)_hackers.ir>
Date:	28.08.2006
Subject:	Sql injection in Xoops

Hi,
There is a sql injection in Xoops 2.0.14 (and maybe before versions) .
One of the user inputs, is used in the sql query without proper checking :

File /edituser.php, Line 347 :
::     if (!empty($_POST['user_avatar'])) {
>>         $user_avatar = trim($_POST['user_avatar']);
::         $criteria_avatar = new CriteriaCompo(new Criteria('avatar_file', $user_avatar));
::         $criteria_avatar->add(new Criteria('avatar_type', "S"));
::         $avatars =& $avt_handler->getObjects($criteria_avatar);
::         if (!is_array($avatars) || !count($avatars)) {
::              $user_avatar = 'blank.gif';
::         }

The bug can be critical, so no more info .

You can upgrade to 2.0.15 .
Also, a simple solution is to change line 348 of /edituser.php, to :
       $user_avatar = addslashes(trim($_POST['user_avatar']));

The original advisory (in Persian), is located at :
http://www.hackers.ir/advisories/xoops.html


- Omid