========================================================================

= CodeScan Advisory, codescan.com <advisories@codescan.com>
=
= Multiple vulnerablities in Xoops 2.4.3
=
= Vendor Website:
= http://www.xoops.org
=
= Affected Version:
=    Xoops 2.4.3 And Earlier
=
= Researched By
=    CodeScan Labs <advisories@codescan.com>
=
= Public disclosure on January 19th, 2010
========================================================================

== Overview ==

CodeScan Labs (www.codescan.com), has recently released a new source
code scanning tool, CodeScan. CodeScan is an advanced auditing tool
designed to check web application source code for security vulnerabilities.
CodeScan utilises an intelligent source code parsing engine, traversing
execution paths and tracking the flow of user supplied input.

During the ongoing testing of CodeScan ASP, Xoops was selected as one of
the test applications. We downloaded Xoops from the Xoops website
http://sourceforge.net/projects/xoops/files/XOOPS Core (stable releases)/XOOPS 2.4.3/.

This advisory is the result of research into the security of Xoops,
based on the report generated by the CodeScan tool.

== Vulnerability Details ==

* File Deletion through unlink *

The unlink function is used by a web page to delete a file on the web server.
The unlink function was found to be used with user input:

        unlink($oldsmile_path);

Although the filter functions like str_replace are used:

        $oldsmile_path = str_replace("\\", "/", realpath(XOOPS_UPLOAD_PATH.'/'.trim($_POST['old_smile'])));

It is not a strong enough for CodeScan Developer to count it as a filter.
It is potentially dangerous for user to have direct input of what to delete,
dependent on the access and permission the user holds.  It is recommended
that user permissions and access are constrained to prevent exploitation.

* HTTP Response Splitting via Header *

Codescan Developer has identified that the application header has the
$redirect variable involved with a user input with no validators or
restrictions, or custom filters function.

        $redirect = trim($_GET['xoops_redirect']);
and:
        header('Location: ' . $redirect);

It is potentially dangerous at this point where a malicious user could inject
malicious codes into the header; next time a user accesses the page, can
cause it to execute that malicious code.

== Credit ==

Discovered and advised to the vendor by CodeScan Labs

== About CodeScan Labs Ltd ==

CodeScan Labs is a specialist security research and development
organisation, that has developed the cornerstone application, CodeScan.
CodeScan Labs helps organisations secure their web services through the
automated scanning of the web application source code for security
vulnerabilities.  The CodeScan product is currently available for ASP,
ASP.NET and PHP.

CodeScan Labs operates with Responsible Disclosure. As a result,
any published advisories will contain information around problems
identified by CodeScan, that have been resolved by the vendor.Additional
code problems which may be identified by CodeScan or its staff which are
not resolved by the vendor will not be made publicly available.
-- 
This message has been scanned for viruses and
dangerous content by Bizo EmailFilter, and is
believed to be clean.