Date: Mon, 30 Sep 2002 01:05:39 +0200 (CEST)
From: Ulf Harnhammar <ulfh@update.uu.se>
To: bugtraq@securityfocus.com
Subject: MyNewsGroups :) XSS patch
---293465837-23465251-1033340739=:5351
Content-Type: TEXT/PLAIN; charset=US-ASCII
MyNewsGroups :) XSS patch
PROGRAM: MyNewsGroups :)
VENDOR: Carlos Sanchez Valle et al.
HOMEPAGE: http://mynewsgroups.sourceforge.net/
VULNERABLE VERSIONS: 0.4, 0.4.1, possibly others
IMMUNE VERSIONS: 0.4.1 with my patch applied
SEVERITY: high
LOGIN REQUIRED: no
DESCRIPTION:
"MyNewsGroups :) is a USENET news client with a completely Web-based
interface. It is written in PHP4, and it uses a MySQL database
backend, which allows useful tools such as search engines, SPAM
filters, subscriptions, and stats to be implemented. The interface
of MyNewsGroups :) is very easy to use."
(direct quote from the program's project page at Freshmeat)
The program is published under the terms of the GNU General Public
License.
SUMMARY:
MyNewsGroups :) has got several cross-site scripting holes that are
triggered when displaying the Subject headers of newsgroup messages.
By posting a malicious newsgroup message, an attacker can take over
many MyNewsGroups :) users' accounts. The same attacker can also
trick the program into posting fake messages under the users' names.
COMMUNICATION WITH VENDOR:
The vendor was contacted on the 9th of July. They still haven't
fixed this issue.
MY PATCH:
I wrote a patch for this XSS issue, and I have included it as an
attachment to this mail. I have patched against version 0.4.1.
// Ulf Harnhammar
VSU Security
ulfh@update.uu.se
---293465837-23465251-1033340739=:5351
Content-Type: TEXT/PLAIN; charset=US-ASCII; name="mynewsgroups.patch"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.LNX.4.21.0209300105390.5351@Tempo.Update.UU.SE>
Content-Description:
Content-Disposition: attachment; filename="mynewsgroups.patch"
LS0tIG15bmcvZGV2L215YXJ0aWNsZXMucGhwLm9sZAlGcmkgU2VwIDI3IDAw
OjAwOjU4IDIwMDINCisrKyBteW5nL2Rldi9teWFydGljbGVzLnBocAlGcmkg
U2VwIDI3IDAwOjAxOjI0IDIwMDINCkBAIC0xMjYsNyArMTI2LDcgQEANCiAg
ICAgICAgICAgICAgICAgJHQtPnNldF92YXIoImRhdGUiLCRkYXRlKTsNCiAg
ICAgICAgICAgICAgICAgJHQtPnNldF92YXIoImlkX2FydGljbGUiLCRkYi0+
UmVjb3JkWydpZF9hcnRpY2xlJ10pOw0KICAgICAgICAgICAgICAgICAkdC0+
c2V0X3Zhcigic2VuZGVyIiwkZGIyLT5SZWNvcmRbJ25hbWUnXSk7DQotICAg
ICAgICAgICAgICAgICR0LT5zZXRfdmFyKCJzdWJqZWN0IiwkZGIyLT5SZWNv
cmRbJ3N1YmplY3QnXSk7DQorICAgICAgICAgICAgICAgICR0LT5zZXRfdmFy
KCJzdWJqZWN0IixodG1sc3BlY2lhbGNoYXJzKCRkYjItPlJlY29yZFsnc3Vi
amVjdCddKSk7DQogDQogICAgICAgICAgICAgICAgICRncm91cF91cmwgPSAi
dHJlZS5waHA/Z3JvdXBfbmFtZT0iLnJhd3VybGVuY29kZShyZWFsMnRhYmxl
KCRkYi0+UmVjb3JkWydncm91cF9uYW1lJ10pKS4iJmJlZ2luPTAmc2VydmVy
PSIucmF3dXJsZW5jb2RlKCRkYi0+UmVjb3JkWydzZXJ2ZXInXSk7DQogICAg
ICAgICAgICAgICAgICR0LT5zZXRfdmFyKCJncm91cF91cmwiLCRncm91cF91
cmwpOw0KLS0tIG15bmcvZGV2L3NlYXJjaC5waHAub2xkCUZyaSBTZXAgMjcg
MDA6MDM6MTQgMjAwMg0KKysrIG15bmcvZGV2L3NlYXJjaC5waHAJRnJpIFNl
cCAyNyAwMDowMzo1NiAyMDAyDQpAQCAtOTcsNyArOTcsNyBAQA0KICAgICAg
ICAgICAgICAgICAgICAgICAgICR0LT5zZXRfdmFyKCJkYXRlIiwkZGF0ZSk7
DQogICAgICAgICAgICAgICAgICAgICAgICAgJGFydGljbGVfdXJsID0gImFy
dGljbGUucGhwP2lkX2FydGljbGU9Ii5yYXd1cmxlbmNvZGUoJGRiLT5SZWNv
cmRbJ2lkJ10pLiImZ3JvdXBfbmFtZT0iLiRkYi0+UmVjb3JkWyduZXdzZ3Jv
dXAnXTsNCiAgICAgICAgICAgICAgICAgICAgICAgICAkdC0+c2V0X3Zhcigi
YXJ0aWNsZV91cmwiLCRhcnRpY2xlX3VybCk7DQotICAgICAgICAgICAgICAg
ICAgICAgICAgJHQtPnNldF92YXIoInN1YmplY3QiLCRkYi0+UmVjb3JkWydz
dWJqZWN0J10pOw0KKyAgICAgICAgICAgICAgICAgICAgICAgICR0LT5zZXRf
dmFyKCJzdWJqZWN0IixodG1sc3BlY2lhbGNoYXJzKCRkYi0+UmVjb3JkWydz
dWJqZWN0J10pKTsNCiAgICAgICAgICAgICAgICAgICAgICAgICAkdC0+c2V0
X3Zhcigic2VuZGVyIiwkZGItPlJlY29yZFsnbmFtZSddKTsNCiAgICAgICAg
ICAgICAgICAgICAgICAgICAkdC0+c2V0X3ZhcigiZ3JvdXAiLCRkYi0+UmVj
b3JkWyduZXdzZ3JvdXAnXSk7DQogICAgICAgICAgICAgICAgICAgICAgICAg
JHQtPnNldF92YXIoInJlYWRpbmdzIiwkZGItPlJlY29yZFsnbnVtX3JlYWRp
bmdzJ10pOw0KQEAgLTE3Myw3ICsxNzMsNyBAQA0KICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgJHQtPnNldF92YXIoImRhdGUiLCRkYXRlKTsN
CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRhcnRpY2xlX3Vy
bCA9ICJhcnRpY2xlLnBocD9pZF9hcnRpY2xlPSIucmF3dXJsZW5jb2RlKCRk
Yi0+UmVjb3JkWydpZCddKS4iJmdyb3VwX25hbWU9Ii4kZGItPlJlY29yZFsn
bmV3c2dyb3VwJ107DQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAkdC0+c2V0X3ZhcigiYXJ0aWNsZV91cmwiLCRhcnRpY2xlX3VybCk7DQot
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkdC0+c2V0X3Zhcigi
c3ViamVjdCIsJGRiLT5SZWNvcmRbJ3N1YmplY3QnXSk7DQorICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAkdC0+c2V0X3Zhcigic3ViamVjdCIs
aHRtbHNwZWNpYWxjaGFycygkZGItPlJlY29yZFsnc3ViamVjdCddKSk7DQog
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkdC0+c2V0X3Zhcigi
c2VuZGVyIiwkZGItPlJlY29yZFsnbmFtZSddKTsNCiAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICR0LT5zZXRfdmFyKCJncm91cCIsJGRiLT5S
ZWNvcmRbJ25ld3Nncm91cCddKTsNCiAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICR0LT5zZXRfdmFyKCJyZWFkaW5ncyIsJGRiLT5SZWNvcmRb
J251bV9yZWFkaW5ncyddKTsNCi0tLSBteW5nL2Rldi9zdGF0cy5waHAub2xk
CUZyaSBTZXAgMjcgMDA6MDU6MTQgMjAwMg0KKysrIG15bmcvZGV2L3N0YXRz
LnBocAlGcmkgU2VwIDI3IDAwOjA2OjQwIDIwMDINCkBAIC0yMDUsNyArMjA1
LDcgQEANCiAgICAgICAgIHdoaWxlKCRkYjItPm5leHRfcmVjb3JkKCkpew0K
IA0KICAgICAgICAgICAgICAgICAkbnVtX3JlcGxpZXNbJGpdWzBdID0gJGRi
Mi0+UmVjb3JkWzFdOw0KLSAgICAgICAgICAgICAgICAkbnVtX3JlcGxpZXNb
JGpdWzFdID0gJGRiMi0+UmVjb3JkWydzdWJqZWN0J107DQorICAgICAgICAg
ICAgICAgICRudW1fcmVwbGllc1skal1bMV0gPSBodG1sc3BlY2lhbGNoYXJz
KCRkYjItPlJlY29yZFsnc3ViamVjdCddKTsNCiAgICAgICAgICAgICAgICAg
JGogKys7DQogDQogICAgICAgICB9DQpAQCAtMjQ2LDcgKzI0Niw3IEBADQog
ICAgICAgICAkZGIyLT5xdWVyeSgkY29uc3VsdGEyKTsNCiAgICAgICAgIHdo
aWxlKCRkYjItPm5leHRfcmVjb3JkKCkpew0KICAgICAgICAgICAgICAgICAk
bnVtX3JlYWRpbmdzWyRqXVswXSA9ICRkYjItPlJlY29yZFsnbnVtX3JlYWRp
bmdzJ107DQotICAgICAgICAgICAgICAgICRudW1fcmVhZGluZ3NbJGpdWzFd
ID0gJGRiMi0+UmVjb3JkWydzdWJqZWN0J107DQorICAgICAgICAgICAgICAg
ICRudW1fcmVhZGluZ3NbJGpdWzFdID0gaHRtbHNwZWNpYWxjaGFycygkZGIy
LT5SZWNvcmRbJ3N1YmplY3QnXSk7DQogICAgICAgICAgICAgICAgICRqICsr
Ow0KICAgICAgICAgfQ0KIA0KLS0tIG15bmcvZGV2L2xpYi9zdGFuZGFyZC5s
aWIucGhwLm9sZAlUaHUgU2VwIDI2IDIzOjU0OjA0IDIwMDINCisrKyBteW5n
L2Rldi9saWIvc3RhbmRhcmQubGliLnBocAlUaHUgU2VwIDI2IDIzOjU4OjEz
IDIwMDINCkBAIC01NzcsNyArNTc3LDcgQEANCiANCiAgICAgICAgICAgICAg
ICAgICAgICAgICAkbGlfaW1hZ2UgPSAibGkiLiRsaV9udW1iZXIuJGNvbG9y
LiIuZ2lmIjsNCiANCi0gICAgICAgICAgICAgICAgICAgICAgICAkbGluZWEy
ID0gJGxpbmVhLiI8aW1nIHNyYz1pbWFnZXMvIi4kbGlfaW1hZ2UuIiB3aWR0
aD01IGhlaWdodD01PiZuYnNwOyIuIjxhIGNsYXNzPXRleHQgaHJlZj1hcnRp
Y2xlLnBocD9pZF9hcnRpY2xlPSIucmF3dXJsZW5jb2RlKCRkYi0+UmVjb3Jk
WydpZCddKS4iJmdyb3VwX25hbWU9Ii5yYXd1cmxlbmNvZGUoJGdyb3VwX25h
bWUpLiI+Ii4kZGItPlJlY29yZFsnc3ViamVjdCddLiI8L2E+IjsNCisgICAg
ICAgICAgICAgICAgICAgICAgICAkbGluZWEyID0gJGxpbmVhLiI8aW1nIHNy
Yz1pbWFnZXMvIi4kbGlfaW1hZ2UuIiB3aWR0aD01IGhlaWdodD01PiZuYnNw
OyIuIjxhIGNsYXNzPXRleHQgaHJlZj1hcnRpY2xlLnBocD9pZF9hcnRpY2xl
PSIucmF3dXJsZW5jb2RlKCRkYi0+UmVjb3JkWydpZCddKS4iJmdyb3VwX25h
bWU9Ii5yYXd1cmxlbmNvZGUoJGdyb3VwX25hbWUpLiI+Ii5odG1sc3BlY2lh
bGNoYXJzKCRkYi0+UmVjb3JkWydzdWJqZWN0J10pLiI8L2E+IjsNCiANCiAg
ICAgICAgICAgICAgICAgICAgICAgICAkcmVwbHlfdXJsID0gInBvc3QucGhw
P3R5cGU9cmVwbHkmaWQ9Ii4kZGItPlJlY29yZFsnbnVtYmVyJ10uIiZncm91
cD0iLiRncm91cF9uYW1lOw0KICAgICAgICAgICAgICAgICAgICAgICAgIC8v
ZWNobyAkcmVwbHlfdXJsOw0KQEAgLTY3NCw3ICs2NzQsNyBAQA0KICAgICAg
ICAgJGRiLT5xdWVyeSgkY29uc3VsdGEpOw0KICAgICAgICAgJGRiLT5uZXh0
X3JlY29yZCgpOw0KIA0KLSAgICAgICAgJHVybF9zdWJqZWN0ID0gIjxhIGNs
YXNzPXRleHQgaHJlZj1hcnRpY2xlLnBocD9pZF9hcnRpY2xlPSIucmF3dXJs
ZW5jb2RlKCRkYi0+UmVjb3JkWydpZCddKS4iJmdyb3VwX25hbWU9Ii4kZ3Jv
dXBfbmFtZS4iPiIuJGRiLT5SZWNvcmRbJ3N1YmplY3QnXS4iPC9hPiI7DQor
ICAgICAgICAkdXJsX3N1YmplY3QgPSAiPGEgY2xhc3M9dGV4dCBocmVmPWFy
dGljbGUucGhwP2lkX2FydGljbGU9Ii5yYXd1cmxlbmNvZGUoJGRiLT5SZWNv
cmRbJ2lkJ10pLiImZ3JvdXBfbmFtZT0iLiRncm91cF9uYW1lLiI+Ii5odG1s
c3BlY2lhbGNoYXJzKCRkYi0+UmVjb3JkWydzdWJqZWN0J10pLiI8L2E+IjsN
CiAgICAgICAgICR0LT5zZXRfdmFyKCJwX3N1YmplY3QiLCR1cmxfc3ViamVj
dCk7DQogICAgICAgICAkYy0+dXNlcm5hbWUgPSAkZGItPlJlY29yZFsndXNl
cm5hbWUnXTsNCiAgICAgICAgICRjLT5lbWFpbCA9ICRkYi0+UmVjb3JkWydm
cm9tX2hlYWRlciddOw0K
---293465837-23465251-1033340739=:5351--
