Hi,

These bugs were published in full-disclosure about 2 weeks ago (CVE-2007-0377).

There is a sql injection bug in Xoops 2.0.16 core (and maybe other versions) in
admin section:

The 'id' parameter in "get()" function is not checked against sql injections :

File kernel/group.php, Line 94 :
:: ...

[ more ]