Research: PHP Object Injection in XOOPS Modules

As part of my research into Gadget Chains and PHP Object Injection, I discovered exploitable vulnerabilities in three different XOOPS modules.

The XOOPS team responded quickly to my report, and fixes were released not long after. They were very good to work with.

They published details here:

https://xoops.org/modules/newbb/viewtopic.php?topic_id=79555

The specific fixes were:

• https://github.com/GregMage/xmsocial/commit/3e88236be61e17b78d843a2e64bf...
• https://github.com/GregMage/xmarticle/commit/7e1ec02b71cf11b1cfa697b0a3e...
• https://github.com/GregMage/xmnews/commit/9f557e9607cd5be1814ab920be9da3...

MITRE have assigned CVE-2024-56925 for xmarticle, and CVE-2024-56928 for xmsocial.

They suggested that xmnews share one of the above CVEs, but I've requested a separate identifier as it's a distinct module / repo / vulnerability.

It took quite a long time to get the initial reply from MITRE and it may be a while before I hear back.

XOOPS includes the Smarty template engine which brings with it at least one viable Gadget Chain:

https://github.com/ambionics/phpggc/tree/master/gadgetchains/Smarty

The Smarty/FD1 gadget chain can be used as a Proof of Concept for these XOOPS vulnerabilities.