SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (News)  >   MyNewsGroups Vendors:   mynewsgroups.sourceforge.net
MyNewsGroups :) Input Validation Holes Let Remote Users Conduct Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1005320
SecurityTracker URL:  http://securitytracker.com/id/1005320
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Sep 30 2002
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Exploit Included:  Yes  
Version(s): 0.4, 0.4.1
Description:   Some input validation vulnerabilities were reported in 'MyNewsGroups :-)'. A remote user can conduct cross-site scripting attacks against users to gain access to their accounts.

MyNewsGroups :) reportedly does not filter HTML tags from the Subject headers. A remote user can submit a specially crafted newsgroup message that, when viewed by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the MyNewsGroups :-)and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

This allows the remote user to take over a target user's account and post fake messages on behalf of the target user.

The vendor has reportedly been notified.
Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running 'MyNewsGroups :-)', access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution:   No solution was available at the time of this entry.

The author of the report has provided an unofficial patch, available in the Source Message (it is Base64 encoded).
Vendor URL:  mynewsgroups.sourceforge.net/ (Links to External Site)
Cause:   Input validation error
Underlying OS:   Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.

 Source Message Contents
Date:  Mon, 30 Sep 2002 01:05:39 +0200 (CEST)
Subject:  [VulnWatch] MyNewsGroups :) XSS patch


---293465837-23465251-1033340739=:5351
Content-Type: TEXT/PLAIN; charset=US-ASCII

MyNewsGroups :) XSS patch


PROGRAM: MyNewsGroups :)
VENDOR: Carlos Sanchez Valle et al.
HOMEPAGE: http://mynewsgroups.sourceforge.net/
VULNERABLE VERSIONS: 0.4, 0.4.1, possibly others
IMMUNE VERSIONS: 0.4.1 with my patch applied
SEVERITY: high
LOGIN REQUIRED: no


DESCRIPTION:

"MyNewsGroups :) is a USENET news client with a completely Web-based
interface. It is written in PHP4, and it uses a MySQL database
backend, which allows useful tools such as search engines, SPAM
filters, subscriptions, and stats to be implemented. The interface
of MyNewsGroups :) is very easy to use."

(direct quote from the program's project page at Freshmeat)

The program is published under the terms of the GNU General Public
License.


SUMMARY:

MyNewsGroups :) has got several cross-site scripting holes that are
triggered when displaying the Subject headers of newsgroup messages.
By posting a malicious newsgroup message, an attacker can take over
many MyNewsGroups :) users' accounts. The same attacker can also
trick the program into posting fake messages under the users' names.


COMMUNICATION WITH VENDOR:

The vendor was contacted on the 9th of July. They still haven't
fixed this issue.


MY PATCH:

I wrote a patch for this XSS issue, and I have included it as an
attachment to this mail. I have patched against version 0.4.1.


// Ulf Harnhammar
   VSU Security
   ulfh@update.uu.se

---293465837-23465251-1033340739=:5351
Content-Type: TEXT/PLAIN; charset=US-ASCII; name="mynewsgroups.patch"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.LNX.4.21.0209300105390.5351@Tempo.Update.UU.SE>
Content-Description: 
Content-Disposition: attachment; filename="mynewsgroups.patch"

LS0tIG15bmcvZGV2L215YXJ0aWNsZXMucGhwLm9sZAlGcmkgU2VwIDI3IDAw
OjAwOjU4IDIwMDINCisrKyBteW5nL2Rldi9teWFydGljbGVzLnBocAlGcmkg
U2VwIDI3IDAwOjAxOjI0IDIwMDINCkBAIC0xMjYsNyArMTI2LDcgQEANCiAg
ICAgICAgICAgICAgICAgJHQtPnNldF92YXIoImRhdGUiLCRkYXRlKTsNCiAg
ICAgICAgICAgICAgICAgJHQtPnNldF92YXIoImlkX2FydGljbGUiLCRkYi0+
UmVjb3JkWydpZF9hcnRpY2xlJ10pOw0KICAgICAgICAgICAgICAgICAkdC0+
c2V0X3Zhcigic2VuZGVyIiwkZGIyLT5SZWNvcmRbJ25hbWUnXSk7DQotICAg
ICAgICAgICAgICAgICR0LT5zZXRfdmFyKCJzdWJqZWN0IiwkZGIyLT5SZWNv
cmRbJ3N1YmplY3QnXSk7DQorICAgICAgICAgICAgICAgICR0LT5zZXRfdmFy
KCJzdWJqZWN0IixodG1sc3BlY2lhbGNoYXJzKCRkYjItPlJlY29yZFsnc3Vi
amVjdCddKSk7DQogDQogICAgICAgICAgICAgICAgICRncm91cF91cmwgPSAi
dHJlZS5waHA/Z3JvdXBfbmFtZT0iLnJhd3VybGVuY29kZShyZWFsMnRhYmxl
KCRkYi0+UmVjb3JkWydncm91cF9uYW1lJ10pKS4iJmJlZ2luPTAmc2VydmVy
PSIucmF3dXJsZW5jb2RlKCRkYi0+UmVjb3JkWydzZXJ2ZXInXSk7DQogICAg
ICAgICAgICAgICAgICR0LT5zZXRfdmFyKCJncm91cF91cmwiLCRncm91cF91
cmwpOw0KLS0tIG15bmcvZGV2L3NlYXJjaC5waHAub2xkCUZyaSBTZXAgMjcg
MDA6MDM6MTQgMjAwMg0KKysrIG15bmcvZGV2L3NlYXJjaC5waHAJRnJpIFNl
cCAyNyAwMDowMzo1NiAyMDAyDQpAQCAtOTcsNyArOTcsNyBAQA0KICAgICAg
ICAgICAgICAgICAgICAgICAgICR0LT5zZXRfdmFyKCJkYXRlIiwkZGF0ZSk7
DQogICAgICAgICAgICAgICAgICAgICAgICAgJGFydGljbGVfdXJsID0gImFy
dGljbGUucGhwP2lkX2FydGljbGU9Ii5yYXd1cmxlbmNvZGUoJGRiLT5SZWNv
cmRbJ2lkJ10pLiImZ3JvdXBfbmFtZT0iLiRkYi0+UmVjb3JkWyduZXdzZ3Jv
dXAnXTsNCiAgICAgICAgICAgICAgICAgICAgICAgICAkdC0+c2V0X3Zhcigi
YXJ0aWNsZV91cmwiLCRhcnRpY2xlX3VybCk7DQotICAgICAgICAgICAgICAg
ICAgICAgICAgJHQtPnNldF92YXIoInN1YmplY3QiLCRkYi0+UmVjb3JkWydz
dWJqZWN0J10pOw0KKyAgICAgICAgICAgICAgICAgICAgICAgICR0LT5zZXRf
dmFyKCJzdWJqZWN0IixodG1sc3BlY2lhbGNoYXJzKCRkYi0+UmVjb3JkWydz
dWJqZWN0J10pKTsNCiAgICAgICAgICAgICAgICAgICAgICAgICAkdC0+c2V0
X3Zhcigic2VuZGVyIiwkZGItPlJlY29yZFsnbmFtZSddKTsNCiAgICAgICAg
ICAgICAgICAgICAgICAgICAkdC0+c2V0X3ZhcigiZ3JvdXAiLCRkYi0+UmVj
b3JkWyduZXdzZ3JvdXAnXSk7DQogICAgICAgICAgICAgICAgICAgICAgICAg
JHQtPnNldF92YXIoInJlYWRpbmdzIiwkZGItPlJlY29yZFsnbnVtX3JlYWRp
bmdzJ10pOw0KQEAgLTE3Myw3ICsxNzMsNyBAQA0KICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgJHQtPnNldF92YXIoImRhdGUiLCRkYXRlKTsN
CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRhcnRpY2xlX3Vy
bCA9ICJhcnRpY2xlLnBocD9pZF9hcnRpY2xlPSIucmF3dXJsZW5jb2RlKCRk
Yi0+UmVjb3JkWydpZCddKS4iJmdyb3VwX25hbWU9Ii4kZGItPlJlY29yZFsn
bmV3c2dyb3VwJ107DQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAkdC0+c2V0X3ZhcigiYXJ0aWNsZV91cmwiLCRhcnRpY2xlX3VybCk7DQot
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkdC0+c2V0X3Zhcigi
c3ViamVjdCIsJGRiLT5SZWNvcmRbJ3N1YmplY3QnXSk7DQorICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAkdC0+c2V0X3Zhcigic3ViamVjdCIs
aHRtbHNwZWNpYWxjaGFycygkZGItPlJlY29yZFsnc3ViamVjdCddKSk7DQog
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkdC0+c2V0X3Zhcigi
c2VuZGVyIiwkZGItPlJlY29yZFsnbmFtZSddKTsNCiAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICR0LT5zZXRfdmFyKCJncm91cCIsJGRiLT5S
ZWNvcmRbJ25ld3Nncm91cCddKTsNCiAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICR0LT5zZXRfdmFyKCJyZWFkaW5ncyIsJGRiLT5SZWNvcmRb
J251bV9yZWFkaW5ncyddKTsNCi0tLSBteW5nL2Rldi9zdGF0cy5waHAub2xk
CUZyaSBTZXAgMjcgMDA6MDU6MTQgMjAwMg0KKysrIG15bmcvZGV2L3N0YXRz
LnBocAlGcmkgU2VwIDI3IDAwOjA2OjQwIDIwMDINCkBAIC0yMDUsNyArMjA1
LDcgQEANCiAgICAgICAgIHdoaWxlKCRkYjItPm5leHRfcmVjb3JkKCkpew0K
IA0KICAgICAgICAgICAgICAgICAkbnVtX3JlcGxpZXNbJGpdWzBdID0gJGRi
Mi0+UmVjb3JkWzFdOw0KLSAgICAgICAgICAgICAgICAkbnVtX3JlcGxpZXNb
JGpdWzFdID0gJGRiMi0+UmVjb3JkWydzdWJqZWN0J107DQorICAgICAgICAg
ICAgICAgICRudW1fcmVwbGllc1skal1bMV0gPSBodG1sc3BlY2lhbGNoYXJz
KCRkYjItPlJlY29yZFsnc3ViamVjdCddKTsNCiAgICAgICAgICAgICAgICAg
JGogKys7DQogDQogICAgICAgICB9DQpAQCAtMjQ2LDcgKzI0Niw3IEBADQog
ICAgICAgICAkZGIyLT5xdWVyeSgkY29uc3VsdGEyKTsNCiAgICAgICAgIHdo
aWxlKCRkYjItPm5leHRfcmVjb3JkKCkpew0KICAgICAgICAgICAgICAgICAk
bnVtX3JlYWRpbmdzWyRqXVswXSA9ICRkYjItPlJlY29yZFsnbnVtX3JlYWRp
bmdzJ107DQotICAgICAgICAgICAgICAgICRudW1fcmVhZGluZ3NbJGpdWzFd
ID0gJGRiMi0+UmVjb3JkWydzdWJqZWN0J107DQorICAgICAgICAgICAgICAg
ICRudW1fcmVhZGluZ3NbJGpdWzFdID0gaHRtbHNwZWNpYWxjaGFycygkZGIy
LT5SZWNvcmRbJ3N1YmplY3QnXSk7DQogICAgICAgICAgICAgICAgICRqICsr
Ow0KICAgICAgICAgfQ0KIA0KLS0tIG15bmcvZGV2L2xpYi9zdGFuZGFyZC5s
aWIucGhwLm9sZAlUaHUgU2VwIDI2IDIzOjU0OjA0IDIwMDINCisrKyBteW5n
L2Rldi9saWIvc3RhbmRhcmQubGliLnBocAlUaHUgU2VwIDI2IDIzOjU4OjEz
IDIwMDINCkBAIC01NzcsNyArNTc3LDcgQEANCiANCiAgICAgICAgICAgICAg
ICAgICAgICAgICAkbGlfaW1hZ2UgPSAibGkiLiRsaV9udW1iZXIuJGNvbG9y
LiIuZ2lmIjsNCiANCi0gICAgICAgICAgICAgICAgICAgICAgICAkbGluZWEy
ID0gJGxpbmVhLiI8aW1nIHNyYz1pbWFnZXMvIi4kbGlfaW1hZ2UuIiB3aWR0
aD01IGhlaWdodD01PiZuYnNwOyIuIjxhIGNsYXNzPXRleHQgaHJlZj1hcnRp
Y2xlLnBocD9pZF9hcnRpY2xlPSIucmF3dXJsZW5jb2RlKCRkYi0+UmVjb3Jk
WydpZCddKS4iJmdyb3VwX25hbWU9Ii5yYXd1cmxlbmNvZGUoJGdyb3VwX25h
bWUpLiI+Ii4kZGItPlJlY29yZFsnc3ViamVjdCddLiI8L2E+IjsNCisgICAg
ICAgICAgICAgICAgICAgICAgICAkbGluZWEyID0gJGxpbmVhLiI8aW1nIHNy
Yz1pbWFnZXMvIi4kbGlfaW1hZ2UuIiB3aWR0aD01IGhlaWdodD01PiZuYnNw
OyIuIjxhIGNsYXNzPXRleHQgaHJlZj1hcnRpY2xlLnBocD9pZF9hcnRpY2xl
PSIucmF3dXJsZW5jb2RlKCRkYi0+UmVjb3JkWydpZCddKS4iJmdyb3VwX25h
bWU9Ii5yYXd1cmxlbmNvZGUoJGdyb3VwX25hbWUpLiI+Ii5odG1sc3BlY2lh
bGNoYXJzKCRkYi0+UmVjb3JkWydzdWJqZWN0J10pLiI8L2E+IjsNCiANCiAg
ICAgICAgICAgICAgICAgICAgICAgICAkcmVwbHlfdXJsID0gInBvc3QucGhw
P3R5cGU9cmVwbHkmaWQ9Ii4kZGItPlJlY29yZFsnbnVtYmVyJ10uIiZncm91
cD0iLiRncm91cF9uYW1lOw0KICAgICAgICAgICAgICAgICAgICAgICAgIC8v
ZWNobyAkcmVwbHlfdXJsOw0KQEAgLTY3NCw3ICs2NzQsNyBAQA0KICAgICAg
ICAgJGRiLT5xdWVyeSgkY29uc3VsdGEpOw0KICAgICAgICAgJGRiLT5uZXh0
X3JlY29yZCgpOw0KIA0KLSAgICAgICAgJHVybF9zdWJqZWN0ID0gIjxhIGNs
YXNzPXRleHQgaHJlZj1hcnRpY2xlLnBocD9pZF9hcnRpY2xlPSIucmF3dXJs
ZW5jb2RlKCRkYi0+UmVjb3JkWydpZCddKS4iJmdyb3VwX25hbWU9Ii4kZ3Jv
dXBfbmFtZS4iPiIuJGRiLT5SZWNvcmRbJ3N1YmplY3QnXS4iPC9hPiI7DQor
ICAgICAgICAkdXJsX3N1YmplY3QgPSAiPGEgY2xhc3M9dGV4dCBocmVmPWFy
dGljbGUucGhwP2lkX2FydGljbGU9Ii5yYXd1cmxlbmNvZGUoJGRiLT5SZWNv
cmRbJ2lkJ10pLiImZ3JvdXBfbmFtZT0iLiRncm91cF9uYW1lLiI+Ii5odG1s
c3BlY2lhbGNoYXJzKCRkYi0+UmVjb3JkWydzdWJqZWN0J10pLiI8L2E+IjsN
CiAgICAgICAgICR0LT5zZXRfdmFyKCJwX3N1YmplY3QiLCR1cmxfc3ViamVj
dCk7DQogICAgICAgICAkYy0+dXNlcm5hbWUgPSAkZGItPlJlY29yZFsndXNl
cm5hbWUnXTsNCiAgICAgICAgICRjLT5lbWFpbCA9ICRkYi0+UmVjb3JkWydm
cm9tX2hlYWRlciddOw0K
---293465837-23465251-1033340739=:5351--


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC