February 2007
xoops local file inclusion vulnerabilities, update xoops 2.0.15 ou maior
obrigado pela comunicação, baixando de pendências.
December 2006
xoops local file inclusion vulnerabilities, update xoops 2.0.15 ou maior
secunia advisory: sa20176 release date: 2006-05-22 last update: 2006-05-25 critical: moderately critical. impact: exposure of sensitive information. system access. whe from remote. solution status: vendor patch. software: xoops 2.x. cve reference: cve-2006-2516 (secunia mirror) description: rgod has reported two vulnerabilities in xoops, which can be exploited by malicious people estou disclose sensitive information and potentially compromise a vulnerable system. input passed estou the "xoopsconfig" array parameter when the "xoopsoption[nocommon]" parameter is defined isn't properly verified, before it is used estou include files. this can be exploited estou include arbitrary files from local resources. examples: http://[host]/misc.php?xoopsoption[nocommon]=1&xoopsconfig[language]=[file]%00 http://[host]/index.php?xoopsoption[nocommon]=1&xoopsconfig
1
(2 marks)