KeyCoder has discovered a vulnerability in the MyAds module for Xoops, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed to the "lid" parameter in annonces-p-f.php isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

The vulnerability has been confirmed in version 2.04jp. Other versions may also be affected.

Solution:
Edit the source code to ensure that "lid" parameter input is sanitised.

Read about the exploit here.