OSVDB ID: 25683

Title: XOOPS xoopsConfig Variable Overwrite Arbitrary Local File Inclusion

Info

Disclosure
May 21, 2006

Discovery
Unknown

Dates

Exploit
May 21, 2006

Solution
Unknown

Description

 Xoops contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when passing input to "xoopsConfig" array parameter when the "xoopsOption[nocommon]" parameter is defined, which will disclose arbitrary files from local resources resulting in a loss of confidentiality.

Classification

 Location: Remote / Network Access
Attack Type: Information Disclosure, Input Manipulation
Impact: Loss of Confidentiality, Loss of Integrity
Solution: Solution Unknown
Exploit: Exploit Public
OSVDB: Web Related

Solution

 Currently, there are no known workarounds or upgrades to correct this issue. However, Xoops has released a patch to address this vulnerability.

Products

Xoops

Xoops

 2.0.13.2

References

Credit
  • rgod - rgodautistici.org - http://retrogod.altervista.org


Direct URL: http://osvdb.org/25683