I found this through google and it bothers me.

http://securityvulns.com/Pdocument969.html

From: Omid <omid_(at)_hackers.ir>
Date: 05.02.2007
Subject: Sql injection bugs in XOOPS 2.0.16 + Weblinks module

Hi,

These bugs were published in full-disclosure about 2 weeks ago (CVE-2007-0377).

There is a sql injection bug in XOOPS 2.0.16 core (and maybe other versions) in
admin section:

The 'id' parameter in "get()" function is not checked against sql injections :

File kernel/group.php, Line 94 :
:: function &get($id)
:: {
:: $group = false;
:: if (intval($id) > 0) {
** $sql = 'SELECT * FROM '.$this->db->prefix('groups').' WHERE groupid='.$id;

This one doesnt seem to be critical .


In "Weblinks" module :

The 'lid' parameter in "deleteByLid()" function is not
checked against sql injections :

File class/table_broken.php, Line 58 :
:: function deleteByLid($lid)
:: {
** $sql = "DELETE FROM $this->table WHERE lid=$lid";
:: return $this->query_false($sql);
:: }

Also 3 other sql injections exist which can be exploitable and are not
discribed here . The new version is not released yet .

The original advisory (in Persian) is located at :
http://www.hackers.ir/advisories/festival.txt


- Omid

I believe that the latest release of the weblinks module will deal with this problem.

and the group.php sql injection bug isn't serious because the system is only vulnerable when logged in as administrator of a website. And administrators already have the rights to change everything anyway. You can't secure against misuse of properly given access and administration rights. ANyway, with access to the groups administration section, you can give anyone any rights anyway. The hole is there, but it doesn't leak unless leaking is part of the goal.

Herko