A command execution vulnerability has found at the library "Snoopy".
http://secunia.com/Advisories/32361/
But calm down, guy.
All XOOPS forks never pass arbitrary URIs into Snoopy.
And almost modules using Snoopy allow to set URIs only by administrators.
Just update the releasing version later.
But, if you allows guests or incredible users to set URI using Snoopy, you have to patch it urgently.
Index: html/class/snoopy.php
===================================================================
--- snoopy.php (revision 729)
+++ snoopy.php (working copy)
@@ -1035,8 +1035,7 @@
$headerfile = tempnam($temp_dir, "sno");
- $safer_URI = strtr( $URI, "\"", " " ); // strip quotes from the URI to avoid shell access
- exec($this->curl_path." -D \"$headerfile\"".$cmdline_params." \"".$safer_URI."\"",$results,$return);
+ exec($this->curl_path." -k -D \"$headerfile\"".$cmdline_params." \"".escapeshellcmd($URI)."\"",$results,$return);
if($return)
{