Antoine wrote:
Theoretically: Yes. Would have to check the sanitation of all variables involved to be sure. Don't think anything as obvious as the main message body can be used to XSS though.
Is it possible for somebody to upload something that *purports* to be a image but is in fact an executable script of some kind. IOW, is there any upload area in XOOPS that may accept various types of restricted uploads that may not be scanning the files as designed?
Looking through the logs once again, the very last GET before the POST from user.php was for "uploads/blank.gif". At that last GET the user had a SESSIONID and one IP, when the POST happened the user had the same SESSIONID with a different IP.
Is there a correlation there?
jaquita