Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 80199

Summary: www-apps/xoops: Incontent Module Arbitrary File Content Disclosure
Product: Gentoo Security Reporter: Jean-François Brunette (RETIRED) <formula7>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED INVALID    
Severity: normal    
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
URL: http://secunia.com/advisories/14064/
Whiteboard: ~3
Package list:
Runtime testing required: ---

Description Jean-François Brunette (RETIRED) gentoo-dev 2005-01-31 05:39:02 UTC
Description:
Larok has reported a vulnerability in the Incontent module for Xoops, which can be exploited by malicious people to disclose sensitive information.

Input passed to the "url" parameter in "index.php" isn't properly verified, before it is used to view files. This can be exploited to disclose the contents of arbitrary local files.

The vulnerability has been reported in version 3.0. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly sanitised.
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2005-01-31 07:01:40 UTC
Hmm...
Apparently Incontent is an outdated optional module for Xoops, not shipped in our package and not in the module repository from xoops.

Closing as INVALID, please reopen if you find evidence that our Xoops includes a vulnerable version of Incontent.