Therefore an Idea:
In the modules/xinha/xinha/plugins/ImageManager/config.inc.php insert after
// Include the config file
require('../../../../../config.php');
this code:
if(!$_SESSION['USER_ID']) {
echo "please don´t hack";
exit;
}
Its not realy a patch to observe the Vulnerability, but this code only allows registered Users to Uploade files.
Therfore unregistered User cannot uploade Files, in the most cases, this will be ok.
If someone will only Administrators (or a different Group of Users like "Registered") allow to upload, modify it like this:
$vulncheck = 0;
if($_SESSION['GROUP_NAME'] == "Administrators" OR $_SESSION['GROUP_NAME'] == "Registered") {
$vulncheck = 1;
}
if($vulncheck != 1) {
echo "please don´t hack";
exit;
}
Than only Administrators (or in this case Registered) can uploade files.
You only have to define the Usergroups, that can use this Module.
Maybe someone had an better Idea or will goon with this

(PS: Sorry for my english, its a long time ago, i learnd this in scool

)