[XOOPS] “b_system_comments_show()” Security Bypas

TITLE:
XOOPS “b_system_comments_show()” Security Bypass

SECUNIA ADVISORY ID:
SA28264

VERIFY ADVISORY:
http://secunia.com/advisories/28264/

CRITICAL:
Not critical

IMPACT:
Security Bypass

WHERE:
From remote

SOFTWARE:
Xoops 2.x
http://secunia.com/product/327/

DESCRIPTION:
A weakness has been reported in XOOPS, which can be exploited by
malicious users to bypass certain security restrictions.

The weakness is caused due to missing permission checks within the
“b_system_comments_show()” function in
htdocs/modules/system/blocks/system_blocks.php. This can be exploited
to read the comments of restricted modules.

The weakness is reported in versions prior to 2.0.18.

SOLUTION:
Update to version 2.0.18.

PROVIDED AND/OR DISCOVERED BY:
Reported by InstantZero.

ORIGINAL ADVISORY:
http://sourceforge.net/tracker/index.php?func=detail&aid=1808484&group_id=41586&atid=430840

Friday 04 Jan 2008 | Guardian | Xoops

Comments are closed.

Trackback this Post |