WEB VULNERABILITY SCANNER DOWNLOAD TRIAL FREE EDITION PRODUCT TOUR WEB SITE SECURITY CENTRE

XOOPS v.2.0.11 SQL Injection and Authentification Bypass Security Vulnerability

Description
The problem with XMLRPC in xoops is lack of sanitation, but because the data is recieved from the reserved $HTTP_RAW_POST_DATA variable magic_quotes_gpc are never applied, the _checkUser function is just a wrapper for the XMLRPC server, as the arguments are eventually passed to the XOOPS core function "loginUser()".

Confirmed in versions: 2.0.11. Other versions may also be affected.

Impact
An attacker could use this vulnerability to easily gain the administrator hash, and much more.

References
GulfTech Research And Development ( XOOPS 2.0.11 && Earlier Multiple Vulnerabilities)
Product Homepage

View entire list of over 400 known Web Application Vulnerabilities and the specific technologies which they target. See Web Vulnerabilities in popular applications such as: WordPress, Tiki Wiki, PHPNuke, PHPMyAdmin, phpBB, Mambo, PHP-Fusion, Mantis, Invision Power Board

Get latest new web vulnerabilities via RSS

Download a FREE trial of Acunetix WVS
Take a product tour of Acunetix WVS (includes screenshots & system overview) or view the datasheet (PDF)
Learn more about SQL injection, Cross site scripting (XSS), other web attacks and PCI-DSS at the Web Site Security Centre
See what the IT Press has to say about Acunetix WVS in the reviews page, or read our customer testimonials
List of vulnerabilities Acunetix WVS checks for.
Application Vulnerabilities in popular web applications that Acunetix WVS checks for