[VulnWatch] MyNewsGroups :) XSS patch

From: Ulf Harnhammar (ulfh@update.uu.se)
Date: 09/30/02


Date: Mon, 30 Sep 2002 01:05:39 +0200 (CEST)
From: Ulf Harnhammar <ulfh@update.uu.se>
To: bugtraq@securityfocus.com


MyNewsGroups :) XSS patch

PROGRAM: MyNewsGroups :)
VENDOR: Carlos Sanchez Valle et al.
HOMEPAGE: http://mynewsgroups.sourceforge.net/
VULNERABLE VERSIONS: 0.4, 0.4.1, possibly others
IMMUNE VERSIONS: 0.4.1 with my patch applied
SEVERITY: high
LOGIN REQUIRED: no

DESCRIPTION:

"MyNewsGroups :) is a USENET news client with a completely Web-based
interface. It is written in PHP4, and it uses a MySQL database
backend, which allows useful tools such as search engines, SPAM
filters, subscriptions, and stats to be implemented. The interface
of MyNewsGroups :) is very easy to use."

(direct quote from the program's project page at Freshmeat)

The program is published under the terms of the GNU General Public
License.

SUMMARY:

MyNewsGroups :) has got several cross-site scripting holes that are
triggered when displaying the Subject headers of newsgroup messages.
By posting a malicious newsgroup message, an attacker can take over
many MyNewsGroups :) users' accounts. The same attacker can also
trick the program into posting fake messages under the users' names.

COMMUNICATION WITH VENDOR:

The vendor was contacted on the 9th of July. They still haven't
fixed this issue.

MY PATCH:

I wrote a patch for this XSS issue, and I have included it as an
attachment to this mail. I have patched against version 0.4.1.

// Ulf Harnhammar
   VSU Security
   ulfh@update.uu.se