Bug 80199

Summary:	www-apps/xoops: Incontent Module Arbitrary File Content Disclosure
Product:	Gentoo Security	Reporter:	Jean-François Brunette (RETIRED) <formula7>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED INVALID
Severity:	normal
Priority:	High
Version:	unspecified
Hardware:	All
OS:	All
URL:	http://secunia.com/advisories/14064/
Whiteboard:	~3
Package list:		Runtime testing required:	---

Description Jean-François Brunette (RETIRED) gentoo-dev

2005-01-31 05:39:02 UTC

Description:
Larok has reported a vulnerability in the Incontent module for Xoops, which can be exploited by malicious people to disclose sensitive information.

Input passed to the "url" parameter in "index.php" isn't properly verified, before it is used to view files. This can be exploited to disclose the contents of arbitrary local files.

The vulnerability has been reported in version 3.0. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly sanitised.

Comment 1 Thierry Carrez (RETIRED) gentoo-dev

2005-01-31 07:01:40 UTC

Hmm...
Apparently Incontent is an outdated optional module for Xoops, not shipped in our package and not in the module repository from xoops.

Closing as INVALID, please reopen if you find evidence that our Xoops includes a vulnerable version of Incontent.