I've shocked just by looking inside of the archive of xoops-2.3.2b.
They put XOOPS_TRUST_PATH folder inside htdocs/ !
(They renamed xoops_trust_path into xoops_lib. this fact also shows us they didnot understand the meaning of XOOPS_TRUST_PATH)
Moreover, there are no .htaccess under the folder xoops_lib/
I suspect my eyes.
mamba had reported LFI in the file under XOOPS_TRUST_PATH.
This is another evidence they cannot understand the meaning of inside/outside DocumentRoot.
When mamba said "I fixes Protector", I replied "Such a patch is non-sense".
This report proves mamba's patch was just non-sense.
http://www.milw0rm.com/exploits/7705
You should interpret the report is not an exploit of Protector itself but just XOOPS-2.3.2.
Anyway, phppp and developpers of xoops.org should do right now:
Put xoops_lib(XOOPS_TRUST_PATH) ouside of htdocs.
Learn the meanining of inside/outside DocumentRoot.
Read how to install Protector V3 again and again!
If you cannot do that or cannot understand what I mean, remove Protector from your archive.
Your wrong structure of the archive gave me pain.
My module -Protector- is useful for protecting all XOOPS forks/folks from maricious attacks as long as the module is installed rightly.
leco1 wrotes:
See this article:
A Guide to Make your XOOPS Installation even more secure
http://www.xoops.org/modules/news/article.php?storyid=4601
Please, read this inside release_notes in pack xoops 232b:
htdocs/
mainfile.php
(etc)
xoops_lib/
modules/
protector
htdocs/
mainfile.php
(etc)
xoops_lib/
modules/
protector
Furthermore, they published a tutorial that explains how to remove the folders on htdocs.
Obviously there are good modules as news, smartsections, article and xgal.