XOOPS system_blocks.php b_system_comments_show() Information Disclosure

ID OSVDB:39877
Type osvdb
Reporter InstantZero()
Modified 2008-01-04T10:18:58


Vulnerability Description

XOOPS contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered due to missing permission checks within the 'b_system_comments_show()' function in 'htdocs/modules/system/blocks/system_blocks.php', which will disclose comments of restricted modules resulting in a loss of confidentiality.

Solution Description

Upgrade to version 2.0.18 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

XOOPS b_system_comments_show() Information Disclosure


Vendor Specific News/Changelog Entry: http://sourceforge.net/tracker/index.php?func=detail&aid=1808484&group_id=41586&atid=430840 Vendor Specific News/Changelog Entry: http://sourceforge.net/project/shownotes.php?group_id=41586&release_id=564689 Secunia Advisory ID:28264 CVE-2007-6675 Bugtraq ID: 27135