[VIM] ajann's XOOPS viewcat.php issues - site-specific or not?

Steven M. Christey coley at mitre.org
Tue Apr 3 01:22:14 UTC 2007


ajann's been posting a ton of stuff to milw0rm using SQL injection in
"viewcat.php" with a "cid" or similar parameter, theoretically dealing
with multiple different modules.  This looks like it might be a
site-specific issue in http://www.xoops.pr.gov.br, anybody have any
thoughts?  Or is viewcat.php a required implementation for every xoops
module?  Searches on www.xoops.org don't seem to find products like
Tutoriais (milw0rm 3621).

The module file structure documentation at:

  http://dev.xoops.org/modules/phpwiki/index.php/FileStructure

doesn't mention viewcat.php, so maybe it's not a required file anyway.

On the other hand, myalbum-P (milw0rm 3632) *does* have a viewcat.php
that accepts a cid parameter, although version 2.84
(http://www.xoops.org/modules/repository/singlefile.php?cid=36&lid=1196)
seems to perform input validation on the cid parameter at first
glance:

  $cid = empty( $_GET['cid'] ) ? 0 : intval( $_GET['cid'] ) ;

*although* after this statement, there's an include of
"include/assign_globals.php" (not included the module itself), which
is practically begging to have an extract() or $$varname or eval in
it.

- Steve



More information about the VIM mailing list