Sql injection bugs in Xoops 2.0.16 + Weblinks module

2007-02-05T00:00:00
ID SECURITYVULNS:DOC:15969
Type securityvulns
Reporter Securityvulns
Modified 2007-02-05T00:00:00

Description

Hi,

These bugs were published in full-disclosure about 2 weeks ago (CVE-2007-0377).

There is a sql injection bug in Xoops 2.0.16 core (and maybe other versions) in admin section:

The 'id' parameter in "get()" function is not checked against sql injections :

File kernel/group.php, Line 94 : :: function &get($id) :: { :: $group = false; :: if (intval($id) > 0) { ** $sql = 'SELECT * FROM '.$this->db->prefix('groups').' WHERE groupid='.$id;

This one doesnt seem to be critical .

In "Weblinks" module :

The 'lid' parameter in "deleteByLid()" function is not checked against sql injections :

File class/table_broken.php, Line 58 : :: function deleteByLid($lid) :: { ** $sql = "DELETE FROM $this->table WHERE lid=$lid"; :: return $this->query_false($sql); :: }

Also 3 other sql injections exist which can be exploitable and are not discribed here . The new version is not released yet .

The original advisory (in Persian) is located at : http://www.hackers.ir/advisories/festival.txt

  • Omid