Xoops.Horoscope.Module.Footer.PHP.File.Inclusion

Release Date Jul 04, 2007
Severity low
Impact System compromise.
Description The Horoscope 1.0 module for XOOPS has a remote file inclusion vulnerability. A remote attacker could execute an arbitrary script on a vulnerable web server with the privileges of the server, via a specially crafted URL request to the 'footer.php' script using the 'xoopsConfig[root_path]' parameter to specify a malicious PHP file from a remote system.
Affected Products Horoscope (module for Xoops) version 2.0.0 and prior.
Recommended Actions Currently we are not aware of any official supplied fix for this issue.
Coverage IPS VCM
Common Vulnerabilities and Exposures (CVE) CVE-2007-3236
Reference/s http://www.securityfocus.com/bid/24449 (BugTraq)

Fortinet