MyNewsGroups :) XSS patch

[Ulf Harnhammar <ulfh () update uu se>]

MyNewsGroups :) XSS patch


PROGRAM: MyNewsGroups :)
VENDOR: Carlos Sanchez Valle et al.
HOMEPAGE: http://mynewsgroups.sourceforge.net/
VULNERABLE VERSIONS: 0.4, 0.4.1, possibly others
IMMUNE VERSIONS: 0.4.1 with my patch applied
SEVERITY: high
LOGIN REQUIRED: no


DESCRIPTION:

"MyNewsGroups :) is a USENET news client with a completely Web-based
interface. It is written in PHP4, and it uses a MySQL database
backend, which allows useful tools such as search engines, SPAM
filters, subscriptions, and stats to be implemented. The interface
of MyNewsGroups :) is very easy to use."

(direct quote from the program's project page at Freshmeat)

The program is published under the terms of the GNU General Public
License.


SUMMARY:

MyNewsGroups :) has got several cross-site scripting holes that are
triggered when displaying the Subject headers of newsgroup messages.
By posting a malicious newsgroup message, an attacker can take over
many MyNewsGroups :) users' accounts. The same attacker can also
trick the program into posting fake messages under the users' names.


COMMUNICATION WITH VENDOR:

The vendor was contacted on the 9th of July. They still haven't
fixed this issue.


MY PATCH:

I wrote a patch for this XSS issue, and I have included it as an
attachment to this mail. I have patched against version 0.4.1.


// Ulf Harnhammar
   VSU Security
   ulfh () update uu se

Attachment: mynewsgroups.patch
Description: