[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [Full-Disclosure] [VulnWatch] MyNewsGroups :) XSS patch
From: Ulf Harnhammar <ulfh () update ! uu ! se>
Date: 2002-09-29 23:05:39
[Download RAW message or body]
Content-Type:TEXT/PLAIN; charset=US-ASCII
Content-Transfer-Encoding:7bit
MyNewsGroups :) XSS patch
PROGRAM: MyNewsGroups :)
VENDOR: Carlos Sanchez Valle et al.
HOMEPAGE: http://mynewsgroups.sourceforge.net/
VULNERABLE VERSIONS: 0.4, 0.4.1, possibly others
IMMUNE VERSIONS: 0.4.1 with my patch applied
SEVERITY: high
LOGIN REQUIRED: no
DESCRIPTION:
"MyNewsGroups :) is a USENET news client with a completely Web-based
interface. It is written in PHP4, and it uses a MySQL database
backend, which allows useful tools such as search engines, SPAM
filters, subscriptions, and stats to be implemented. The interface
of MyNewsGroups :) is very easy to use."
(direct quote from the program's project page at Freshmeat)
The program is published under the terms of the GNU General Public
License.
SUMMARY:
MyNewsGroups :) has got several cross-site scripting holes that are
triggered when displaying the Subject headers of newsgroup messages.
By posting a malicious newsgroup message, an attacker can take over
many MyNewsGroups :) users' accounts. The same attacker can also
trick the program into posting fake messages under the users' names.
COMMUNICATION WITH VENDOR:
The vendor was contacted on the 9th of July. They still haven't
fixed this issue.
MY PATCH:
I wrote a patch for this XSS issue, and I have included it as an
attachment to this mail. I have patched against version 0.4.1.
// Ulf Harnhammar
VSU Security
ulfh@update.uu.se
["mynewsgroups.patch" (mynewsgroups.patch)]
Content-ID:<Pine.LNX.4.21.0209300105390.5351@Tempo.Update.UU.SE>
Content-Type:TEXT/PLAIN; charset=US-ASCII; name="mynewsgroups.patch"
Content-Disposition:attachment; filename="mynewsgroups.patch"
Content-Transfer-Encoding:BASE64
LS0tIG15bmcvZGV2L215YXJ0aWNsZXMucGhwLm9sZAlGcmkgU2VwIDI3IDAwOjAwOjU4IDIw
MDINCisrKyBteW5nL2Rldi9teWFydGljbGVzLnBocAlGcmkgU2VwIDI3IDAwOjAxOjI0IDIw
MDINCkBAIC0xMjYsNyArMTI2LDcgQEANCiAgICAgICAgICAgICAgICAgJHQtPnNldF92YXIo
ImRhdGUiLCRkYXRlKTsNCiAgICAgICAgICAgICAgICAgJHQtPnNldF92YXIoImlkX2FydGlj
bGUiLCRkYi0+UmVjb3JkWydpZF9hcnRpY2xlJ10pOw0KICAgICAgICAgICAgICAgICAkdC0+
c2V0X3Zhcigic2VuZGVyIiwkZGIyLT5SZWNvcmRbJ25hbWUnXSk7DQotICAgICAgICAgICAg
ICAgICR0LT5zZXRfdmFyKCJzdWJqZWN0IiwkZGIyLT5SZWNvcmRbJ3N1YmplY3QnXSk7DQor
ICAgICAgICAgICAgICAgICR0LT5zZXRfdmFyKCJzdWJqZWN0IixodG1sc3BlY2lhbGNoYXJz
KCRkYjItPlJlY29yZFsnc3ViamVjdCddKSk7DQogDQogICAgICAgICAgICAgICAgICRncm91
cF91cmwgPSAidHJlZS5waHA/Z3JvdXBfbmFtZT0iLnJhd3VybGVuY29kZShyZWFsMnRhYmxl
KCRkYi0+UmVjb3JkWydncm91cF9uYW1lJ10pKS4iJmJlZ2luPTAmc2VydmVyPSIucmF3dXJs
ZW5jb2RlKCRkYi0+UmVjb3JkWydzZXJ2ZXInXSk7DQogICAgICAgICAgICAgICAgICR0LT5z
ZXRfdmFyKCJncm91cF91cmwiLCRncm91cF91cmwpOw0KLS0tIG15bmcvZGV2L3NlYXJjaC5w
aHAub2xkCUZyaSBTZXAgMjcgMDA6MDM6MTQgMjAwMg0KKysrIG15bmcvZGV2L3NlYXJjaC5w
aHAJRnJpIFNlcCAyNyAwMDowMzo1NiAyMDAyDQpAQCAtOTcsNyArOTcsNyBAQA0KICAgICAg
ICAgICAgICAgICAgICAgICAgICR0LT5zZXRfdmFyKCJkYXRlIiwkZGF0ZSk7DQogICAgICAg
ICAgICAgICAgICAgICAgICAgJGFydGljbGVfdXJsID0gImFydGljbGUucGhwP2lkX2FydGlj
bGU9Ii5yYXd1cmxlbmNvZGUoJGRiLT5SZWNvcmRbJ2lkJ10pLiImZ3JvdXBfbmFtZT0iLiRk
Yi0+UmVjb3JkWyduZXdzZ3JvdXAnXTsNCiAgICAgICAgICAgICAgICAgICAgICAgICAkdC0+
c2V0X3ZhcigiYXJ0aWNsZV91cmwiLCRhcnRpY2xlX3VybCk7DQotICAgICAgICAgICAgICAg
ICAgICAgICAgJHQtPnNldF92YXIoInN1YmplY3QiLCRkYi0+UmVjb3JkWydzdWJqZWN0J10p
Ow0KKyAgICAgICAgICAgICAgICAgICAgICAgICR0LT5zZXRfdmFyKCJzdWJqZWN0IixodG1s
c3BlY2lhbGNoYXJzKCRkYi0+UmVjb3JkWydzdWJqZWN0J10pKTsNCiAgICAgICAgICAgICAg
ICAgICAgICAgICAkdC0+c2V0X3Zhcigic2VuZGVyIiwkZGItPlJlY29yZFsnbmFtZSddKTsN
CiAgICAgICAgICAgICAgICAgICAgICAgICAkdC0+c2V0X3ZhcigiZ3JvdXAiLCRkYi0+UmVj
b3JkWyduZXdzZ3JvdXAnXSk7DQogICAgICAgICAgICAgICAgICAgICAgICAgJHQtPnNldF92
YXIoInJlYWRpbmdzIiwkZGItPlJlY29yZFsnbnVtX3JlYWRpbmdzJ10pOw0KQEAgLTE3Myw3
ICsxNzMsNyBAQA0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJHQtPnNldF92
YXIoImRhdGUiLCRkYXRlKTsNCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRh
cnRpY2xlX3VybCA9ICJhcnRpY2xlLnBocD9pZF9hcnRpY2xlPSIucmF3dXJsZW5jb2RlKCRk
Yi0+UmVjb3JkWydpZCddKS4iJmdyb3VwX25hbWU9Ii4kZGItPlJlY29yZFsnbmV3c2dyb3Vw
J107DQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkdC0+c2V0X3ZhcigiYXJ0
aWNsZV91cmwiLCRhcnRpY2xlX3VybCk7DQotICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAkdC0+c2V0X3Zhcigic3ViamVjdCIsJGRiLT5SZWNvcmRbJ3N1YmplY3QnXSk7DQor
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkdC0+c2V0X3Zhcigic3ViamVjdCIs
aHRtbHNwZWNpYWxjaGFycygkZGItPlJlY29yZFsnc3ViamVjdCddKSk7DQogICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAkdC0+c2V0X3Zhcigic2VuZGVyIiwkZGItPlJlY29y
ZFsnbmFtZSddKTsNCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICR0LT5zZXRf
dmFyKCJncm91cCIsJGRiLT5SZWNvcmRbJ25ld3Nncm91cCddKTsNCiAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICR0LT5zZXRfdmFyKCJyZWFkaW5ncyIsJGRiLT5SZWNvcmRb
J251bV9yZWFkaW5ncyddKTsNCi0tLSBteW5nL2Rldi9zdGF0cy5waHAub2xkCUZyaSBTZXAg
MjcgMDA6MDU6MTQgMjAwMg0KKysrIG15bmcvZGV2L3N0YXRzLnBocAlGcmkgU2VwIDI3IDAw
OjA2OjQwIDIwMDINCkBAIC0yMDUsNyArMjA1LDcgQEANCiAgICAgICAgIHdoaWxlKCRkYjIt
Pm5leHRfcmVjb3JkKCkpew0KIA0KICAgICAgICAgICAgICAgICAkbnVtX3JlcGxpZXNbJGpd
WzBdID0gJGRiMi0+UmVjb3JkWzFdOw0KLSAgICAgICAgICAgICAgICAkbnVtX3JlcGxpZXNb
JGpdWzFdID0gJGRiMi0+UmVjb3JkWydzdWJqZWN0J107DQorICAgICAgICAgICAgICAgICRu
dW1fcmVwbGllc1skal1bMV0gPSBodG1sc3BlY2lhbGNoYXJzKCRkYjItPlJlY29yZFsnc3Vi
amVjdCddKTsNCiAgICAgICAgICAgICAgICAgJGogKys7DQogDQogICAgICAgICB9DQpAQCAt
MjQ2LDcgKzI0Niw3IEBADQogICAgICAgICAkZGIyLT5xdWVyeSgkY29uc3VsdGEyKTsNCiAg
ICAgICAgIHdoaWxlKCRkYjItPm5leHRfcmVjb3JkKCkpew0KICAgICAgICAgICAgICAgICAk
bnVtX3JlYWRpbmdzWyRqXVswXSA9ICRkYjItPlJlY29yZFsnbnVtX3JlYWRpbmdzJ107DQot
ICAgICAgICAgICAgICAgICRudW1fcmVhZGluZ3NbJGpdWzFdID0gJGRiMi0+UmVjb3JkWydz
dWJqZWN0J107DQorICAgICAgICAgICAgICAgICRudW1fcmVhZGluZ3NbJGpdWzFdID0gaHRt
bHNwZWNpYWxjaGFycygkZGIyLT5SZWNvcmRbJ3N1YmplY3QnXSk7DQogICAgICAgICAgICAg
ICAgICRqICsrOw0KICAgICAgICAgfQ0KIA0KLS0tIG15bmcvZGV2L2xpYi9zdGFuZGFyZC5s
aWIucGhwLm9sZAlUaHUgU2VwIDI2IDIzOjU0OjA0IDIwMDINCisrKyBteW5nL2Rldi9saWIv
c3RhbmRhcmQubGliLnBocAlUaHUgU2VwIDI2IDIzOjU4OjEzIDIwMDINCkBAIC01NzcsNyAr
NTc3LDcgQEANCiANCiAgICAgICAgICAgICAgICAgICAgICAgICAkbGlfaW1hZ2UgPSAibGki
LiRsaV9udW1iZXIuJGNvbG9yLiIuZ2lmIjsNCiANCi0gICAgICAgICAgICAgICAgICAgICAg
ICAkbGluZWEyID0gJGxpbmVhLiI8aW1nIHNyYz1pbWFnZXMvIi4kbGlfaW1hZ2UuIiB3aWR0
aD01IGhlaWdodD01PiZuYnNwOyIuIjxhIGNsYXNzPXRleHQgaHJlZj1hcnRpY2xlLnBocD9p
ZF9hcnRpY2xlPSIucmF3dXJsZW5jb2RlKCRkYi0+UmVjb3JkWydpZCddKS4iJmdyb3VwX25h
bWU9Ii5yYXd1cmxlbmNvZGUoJGdyb3VwX25hbWUpLiI+Ii4kZGItPlJlY29yZFsnc3ViamVj
dCddLiI8L2E+IjsNCisgICAgICAgICAgICAgICAgICAgICAgICAkbGluZWEyID0gJGxpbmVh
LiI8aW1nIHNyYz1pbWFnZXMvIi4kbGlfaW1hZ2UuIiB3aWR0aD01IGhlaWdodD01PiZuYnNw
OyIuIjxhIGNsYXNzPXRleHQgaHJlZj1hcnRpY2xlLnBocD9pZF9hcnRpY2xlPSIucmF3dXJs
ZW5jb2RlKCRkYi0+UmVjb3JkWydpZCddKS4iJmdyb3VwX25hbWU9Ii5yYXd1cmxlbmNvZGUo
JGdyb3VwX25hbWUpLiI+Ii5odG1sc3BlY2lhbGNoYXJzKCRkYi0+UmVjb3JkWydzdWJqZWN0
J10pLiI8L2E+IjsNCiANCiAgICAgICAgICAgICAgICAgICAgICAgICAkcmVwbHlfdXJsID0g
InBvc3QucGhwP3R5cGU9cmVwbHkmaWQ9Ii4kZGItPlJlY29yZFsnbnVtYmVyJ10uIiZncm91
cD0iLiRncm91cF9uYW1lOw0KICAgICAgICAgICAgICAgICAgICAgICAgIC8vZWNobyAkcmVw
bHlfdXJsOw0KQEAgLTY3NCw3ICs2NzQsNyBAQA0KICAgICAgICAgJGRiLT5xdWVyeSgkY29u
c3VsdGEpOw0KICAgICAgICAgJGRiLT5uZXh0X3JlY29yZCgpOw0KIA0KLSAgICAgICAgJHVy
bF9zdWJqZWN0ID0gIjxhIGNsYXNzPXRleHQgaHJlZj1hcnRpY2xlLnBocD9pZF9hcnRpY2xl
PSIucmF3dXJsZW5jb2RlKCRkYi0+UmVjb3JkWydpZCddKS4iJmdyb3VwX25hbWU9Ii4kZ3Jv
dXBfbmFtZS4iPiIuJGRiLT5SZWNvcmRbJ3N1YmplY3QnXS4iPC9hPiI7DQorICAgICAgICAk
dXJsX3N1YmplY3QgPSAiPGEgY2xhc3M9dGV4dCBocmVmPWFydGljbGUucGhwP2lkX2FydGlj
bGU9Ii5yYXd1cmxlbmNvZGUoJGRiLT5SZWNvcmRbJ2lkJ10pLiImZ3JvdXBfbmFtZT0iLiRn
cm91cF9uYW1lLiI+Ii5odG1sc3BlY2lhbGNoYXJzKCRkYi0+UmVjb3JkWydzdWJqZWN0J10p
LiI8L2E+IjsNCiAgICAgICAgICR0LT5zZXRfdmFyKCJwX3N1YmplY3QiLCR1cmxfc3ViamVj
dCk7DQogICAgICAgICAkYy0+dXNlcm5hbWUgPSAkZGItPlJlY29yZFsndXNlcm5hbWUnXTsN
CiAgICAgICAgICRjLT5lbWFpbCA9ICRkYi0+UmVjb3JkWydmcm9tX2hlYWRlciddOw0K
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic