• IDP Daily Update #1375
  posted: 02/27/09
  
• NSM Daily Update #1375
  posted: 02/27/09
  
• Deep Inspection 5.3r5 and above, 5.4, 6.0 #1375
  posted: 02/27/09
  
• Deep Inspection 5.1, 5.2, 5.3r4 and below #1361
  posted: 02/27/09
  
• Deep Inspection 5.0 #1132
  posted: 04/01/08
  
• Antivirus
  posted: 02/26/09

Text Size:        

• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: Xoops XoopsGallery Module 'init_basic.php' Remote File Include Vulnerability

Severity: MODERATE

Description:

XoopsGallery is a gallery module for the XOOPS content manager; it is implemented in PHP.

The application is prone to a remote file-include vulnerability because it fails to sufficiently sanitize user-supplied input to the 'GALLERY_BASEDIR' parameter of the 'init_basic.php' script when passed in a specially crafted URI that contains hash values for 'GALLERY_BASEDIR'.

An attacker can exploit this issue to execute malicious PHP code in the context of the webserver process. This may allow the attacker to compromise the application and the underlying system; other attacks are also possible.

XoopsGallery 1.3.3.9 is vulnerable; other versions may also be affected.

Affected Products:

• Xoops XoopsGallery Module 1.3.3.9

References:

• XOOPS: XOOPS Homepage
• XoopsGallery: XoopsGallery Homepage