Do you know these files can be parsed as PHP file?
foo.php.en
foo.php.orig.test
This is a normal behavior of apache's mod_mime.c
If a script stores an uploaded file under DocumentRoot and its name will be generated from its original file name, it is danger enough.
(Though I don't know such modules for XOOPS...)
Even if he disallow *.php, attacker can upload *.php.hehehe and exec the file.
The latest version of Protector (2.54) scans multiple dot(.) inside $_FILE[]['name'].
If a doubtful file name is found, Protector will stop XOOPS immediately.
1: $result = mysql_query( "SELECT ''" , $conn ) ;
2: $obj = mysql_fetch_object( $result ) ;
1: $result = mysql_query( "SELECT '' AS tmp_name" , $conn ) ;
2: $obj = mysql_fetch_object( $result ) ;