E-xoops incontent module security hole

If you use runcms, I recieved an email regarding the security hole found in the incontent module.

The e-mail:

Quote:

---

I Just recive the following information From Larok (Webmaster at the RUSSISAN SUPPORT SITE) regarding the INCONTENT MODULE

If you are using INCONTENT YOU FIND A SECURITY FIX IN THIS INFORMATION TO:

info from Larok is here :
Hello.

Incontent module have big security bug.

With this bug hacker can see all data in mainfile.php & other *.php portal files.

All data base data can be stolen.

How it works:

Just simpe search in google for sites that use incontent module i find one of them:

http://www.dotcomdesigns.net/modules/incontent/

To view incontent files we use link like:

http://www.dotcomdesigns.net/modules...l=consult.html

We can easy look all data base data, pass, username and other by this link in html:

[removed]

And different *.php files by this link like:

[removed]

[removed]

Path for this error here:
http://www.e-xoops.ru/modules/mydown...it.php?lid=330
(Colosed for non registered)

Also must work on xoops portals were webmaster install this module. Like this one:

[removed]

Have a nice day.

---

I took the urls out because it seems a lot of runcms based sites are still vulnerable, and I do NOT know why they included live URLs. They could have used an example using a non live site. If you have a site running xoops, make sure to patch it now by going to

http://runcms.org

thank you