90
2.3 probably has the solution, it takes the cache and template_c folders out of the web directory. Unfortunately with most hosts, these folders have to be 777 or wold writable in the web directory and can allow for malicious files placed in them.
This is not the fault of xoops, but the host server settings.