80199 – www-apps/xoops: Incontent Module Arbitrary File Content Disclosure

Bug 80199 - www-apps/xoops: Incontent Module Arbitrary File Content Disclosure

Summary: www-apps/xoops: Incontent Module Arbitrary File Content Disclosure

Status:	RESOLVED INVALID

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All All

Importance:	High normal (vote)
Assignee:	Gentoo Security

URL:	http://secunia.com/advisories/14064/
Whiteboard:	~3
Keywords:

Depends on:
Blocks:

Reported:	2005-01-31 05:39 UTC by Jean-François Brunette (RETIRED)
Modified:	2005-01-31 07:01 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jean-François Brunette (RETIRED) gentoo-dev

2005-01-31 05:39:02 UTC

Description:
Larok has reported a vulnerability in the Incontent module for Xoops, which can be exploited by malicious people to disclose sensitive information.

Input passed to the "url" parameter in "index.php" isn't properly verified, before it is used to view files. This can be exploited to disclose the contents of arbitrary local files.

The vulnerability has been reported in version 3.0. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly sanitised.

Comment 1 Thierry Carrez (RETIRED) gentoo-dev

2005-01-31 07:01:40 UTC

Hmm...
Apparently Incontent is an outdated optional module for Xoops, not shipped in our package and not in the module repository from xoops.

Closing as INVALID, please reopen if you find evidence that our Xoops includes a vulnerable version of Incontent.