Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:14398
HistorySep 23, 2006 - 12:00 a.m.

Squiz MySource Matrix Unauthorised Proxy and Cross Site Scripting

2006-09-2300:00:00
vulners.com
23
JSON

aushack.com - Vulnerability Advisory

Release Date:
22-Sep-2006

Software:
Squiz - My Source and My Source Matrix
http://www.squiz.net.au

"MySource Matrix is the newest version of the popular MySource CMS,
purpose built for enterprise level installations. It boasts all the
features of high-end systems such as highly configurable workflow,
a powerful integrated search engine, intuitive front-end editing, true
rollback and much more."

Versions affected:
MySource Matrix 3.8 and below, MySource 2.x.

Vulnerability discovered:

MySource Matrix may be used as an unauthorised HTTP proxy (and XSS).

Vulnerability impact:

Low - An anonymous user may use the MySource based website as a proxy.
Additionally, proxied bandwidth may be at great financial expense.
Remote content may contain JavaScript which is client executed.

Vulnerability information

A function of the software 'sq_remote_page_url' allows inclusion of remote
content in the body of the website.

Example: (wrapped)
http://www.mysource-example.com.au/$page?sq_remote_page_action=
fetch_url&sq_remote_page_url=http://www.google.com.au

… where '$page' is a valid CMS reference, e.g. 'about_us'.

This will return the Google website, encapsulated in the header
and footer HTML of the www.mysource-example.com.au site.

The remote page may contain JavaScript for XSS purposes, e.g. cookies.

Remote PHP inclusion does not appear to be possible (returns % hex value).

One could write a script to enable a world wide anonymous proxy array.

Solution:
The vendor does not consider this a vulnerability. Newer versions of the
software include a function 'sq_content_src' to hide the URL (Base64),
in addition to use of a string whitelist to permit inclusion, for example:

if whitelist = http://www.trust-content.com/index?id=*, where * = <wildcard>
ok = http://www.trust-content.com/index?id=1234
bad = http://www.trust-content.com/index?ref=1234

Note that whilst the URL is Base64 encoded, this does not necessarily mean
that whitelists are used. Future releases may be proxied via:

http://www.mysource-example.com.au/$page?
sq_content_src=aHR0cDovL3d3dy5nb29nbGUuY29tLmF1

References:
aushack.com advisory
http://www.aushack.com/advisories/200607-mysourcematrix.txt

Credit:
Patrick Webster ( [email protected] )

Disclosure timeline:
27-Apr-2006 - Discovered during audit, Squiz notified shortly after.
07-Jun-2006 - Sent security patch query to Squiz developers.
09-Jun-2006 - Squiz response - use whitelist function.
22-Sep-2006 - Public disclosure.

EOF

JSON