Xoops Multiple Unspecified SQL Injection Vulnerabilities

Bugtraq ID:	22399
Class:	Input Validation Error
CVE:	CVE-2007-0377
Remote:	Yes
Local:	No
Published:	Feb 05 2007 12:00AM
Updated:	Mar 06 2007 08:35PM
Credit:	[email protected] has been credited with the discovery of these vulnerabilities.
Vulnerable:	Xoops Xoops 2.0.16 core
Not Vulnerable:

Xoops Multiple Unspecified SQL Injection Vulnerabilities

Xoops is prone to multiple SQL-injection vulnerabilities because it fails to properly sanitize user-supplied input before using it in an SQL query.

An attacker may be able to exploit these issues to modify the logic of SQL queries. Successful exploits may allow the attacker to compromise the software, retrieve information, or modify data; other consequences are possible as well.

Xoops 2.0.16 is vulnerable.

Xoops Multiple Unspecified SQL Injection Vulnerabilities

Attackers can exploit these issues via a web client.

Xoops Multiple Unspecified SQL Injection Vulnerabilities

Solution:
Currently we are not aware of any vendor-supplied patches for these issues. If you feel we are in error or if you are aware of more recent information, please mail us at: mailto:[email protected].

NOTE: The vendor refutes this issue.

Xoops Multiple Unspecified SQL Injection Vulnerabilities

References:

• XOOPS Web Site (XOOPS)
  
• XOOPS Website Forum - Bug Reports (XOOPS)
  
• Sql injection bugs in Xoops 2.0.16 + Weblinks module ('Omid' )