hi Mithrandir.
I'm sorry to have unpleasant time for my articles.
But as I wrote in subject, it is an emergency security hole.
Thus I have no time to select gentle words.
(And because of my poor skills for English.
)
Removing all files of the module is only way to protect all of XOOPS site.
(Though .htaccess is a good manner, all of XOOPS site is not usable this)
If register_globals on, GPCS are registered as globals.
Although wjue had been reported its vulnerablity from well skilled programmers like onokazu, he patched only G and says "sufficiently safe".
I feel that it is irreverent unworthy of a modules developper.
Quote:
I write modules, but I have NO idea, whether it is a secure one or if there are similar problems with them. Therefore, I would be very happy to get some more guidelines as to how to avoid opening security holes.
Of course, this is the most important thing.
----------------------------------------
the first operator of these functions:
include(), include_once(), require(), require_once()
should not be started by variables.
----------------------------------------
Though it differs accurately, pardon it by such an explanation please.
(I have little free time and little skill to explain the vulnerablity plainly by English.)