Xoops version 2.5.4 suffers from a remote blind SQL injection vulnerability.
2b179a5b592970daa6c84cd35f7b2c76a1fa845165abf65d270f5d19cbea058e
------------------------------------------
# Xoops 2.5.4 Blind SQL Injection
------------------------------------------
# Dork: "Powered by XOOPS 2.5.4"
# Download: https://sourceforge.net/projects/xoops/
# Date: 10/12/2011
# Author: blkhtc0rp
# Mail: blkhtc0rp[at]yahoo[dot]com
# Tested on: Freebsd 8 and Debian Squeeze
Note:
In order to be successful an attacker must have permission to access the administration menu.
Exploit:
https://192.168.1.109/xoops-2.5.4/modules/system/admin.php?fct=users&selgroups=[Blind Sqli]