[VIM] ajann's XOOPS viewcat.php issues - site-specific or not?
Steven M. Christey
coley at mitre.org
Tue Apr 3 01:22:14 UTC 2007
ajann's been posting a ton of stuff to milw0rm using SQL injection in
"viewcat.php" with a "cid" or similar parameter, theoretically dealing
with multiple different modules. This looks like it might be a
site-specific issue in http://www.xoops.pr.gov.br, anybody have any
thoughts? Or is viewcat.php a required implementation for every xoops
module? Searches on www.xoops.org don't seem to find products like
Tutoriais (milw0rm 3621).
The module file structure documentation at:
http://dev.xoops.org/modules/phpwiki/index.php/FileStructure
doesn't mention viewcat.php, so maybe it's not a required file anyway.
On the other hand, myalbum-P (milw0rm 3632) *does* have a viewcat.php
that accepts a cid parameter, although version 2.84
(http://www.xoops.org/modules/repository/singlefile.php?cid=36&lid=1196)
seems to perform input validation on the cid parameter at first
glance:
$cid = empty( $_GET['cid'] ) ? 0 : intval( $_GET['cid'] ) ;
*although* after this statement, there's an include of
"include/assign_globals.php" (not included the module itself), which
is practically begging to have an extract() or $$varname or eval in
it.
- Steve
More information about the VIM
mailing list