I read
http://www.xoops.org/modules/newbb/viewtopic.php?topic_id=62321&forum=4&post_id=281125and
http://packetstormsecurity.org/0801-exploits/xoopsgal-rfi.txtQuote:
rgriff59 wrotes:
Since xoopsgallery.org is offline, I have no way to check on the status or possibility of a proper fix, but maybe this will help you stay up long enough to find and implement a better solution.
No. It looks not enough.
LFI still exists even with your patch.
You have to add some lines into mainfile.php instead of Protector, at least.
if( isset($_GET['GALLERY_BASEDIR'])) {
die("xoopsgallery remote file include attack");
}
And I have to say "stop using such an organic vulnerable module right now".
This warning will continue until all of stupid code like "extract($_GET);" are eliminated in the module.