Xoops Local File Inclusion Vulnerabilities and Patch
We made the patch to solve this problem.
* Download(ZIP format) (TAR-GZ format)
* Security Advisory
* Thread related in this forum
If your server has the following conditions, this security hole brings trouble:
1) register_globals is on
2) magic_quotes_gpc is off
The attacker injects to $xoopsOption['noccomon'] that is global variable parameter to escape reading common.php. Common.php has simple protection code to check variables injection. But, if common.php isn't read, the protection code isn't worked.
If you have the following condition, you don't need to use this patch:
* register_globals is off
* You have already installed XOOPS Protector. (And, you modified mainfile.php for precheck)
If you don't know your environment, ask the administrator of your server, or use check tool that you can download from this thread.
We recommend making register_globals off if register_globals of your server is on. In the case of Apache, make .htaccess file and write the following:
php_value register_globals off
And upload it to your root directory. But, you need the permission about .htaccess from the administrator of your server.
If you use the rental server, it may offer FAQ or documents about .htaccess.