CVE-2006-2516

Name of the Vulnerable Software and Affected Versions XOOPS versions 2.0.13.2 and earlier

Description The issue allows remote attackers to conduct directory traversal attacks or include PHP files. This can be achieved by overwriting variables such as $xoopsOption['nocommon'] when register globals is enabled. Attackers can exploit this via xoopsConfig[language] to misc.php or xoopsConfig[theme set] to index.php by injecting PHP sequences into a log file.

Recommendations For XOOPS versions 2.0.13.2 and earlier, consider disabling the register globals setting to prevent variable overwrite attacks. As a temporary workaround, restrict access to misc.php and index.php to minimize the risk of exploitation. Avoid using the xoopsConfig[language] and xoopsConfig[theme set] variables in sensitive operations until the issue is resolved.