AOH :: HP Unsorted S :: B06-4851.HTM

Squiz MySource Matrix Unauthorised Proxy and Cross Site Scripting

Squiz MySource Matrix Unauthorised Proxy and Cross Site Scripting
Squiz MySource Matrix Unauthorised Proxy and Cross Site Scripting - Vulnerability Advisory
Release Date:

 Squiz - My Source and My Source Matrix 

 "MySource Matrix is the newest version of the popular MySource CMS,
 purpose built for enterprise level installations. It boasts all the
 features of high-end systems such as highly configurable workflow,
 a powerful integrated search engine, intuitive front-end editing, true
 rollback and much more."

Versions affected:
 MySource Matrix 3.8 and below, MySource 2.x.

Vulnerability discovered:

 MySource Matrix may be used as an unauthorised HTTP proxy (and XSS).

Vulnerability impact:

 Low - An anonymous user may use the MySource based website as a proxy.
       Additionally, proxied bandwidth may be at great financial expense.
       Remote content may contain JavaScript which is client executed.

Vulnerability information

 A function of the software 'sq_remote_page_url' allows inclusion of remote
 content in the body of the website.

 Example: (wrapped)$page?sq_remote_page_action fetch_url&sq_remote_page_url= 

  ... where '$page' is a valid CMS reference, e.g. 'about_us'.

  This will return the Google website, encapsulated in the header
and footer HTML of the site. 

  The remote page may contain JavaScript for XSS purposes, e.g. cookies.

  Remote PHP inclusion does not appear to be possible (returns % hex value).

  One could write a script to enable a world wide anonymous proxy array.

 The vendor does not consider this a vulnerability. Newer versions of the
 software include a function 'sq_content_src' to hide the URL (Base64),
 in addition to use of a string whitelist to permit inclusion, for example:

if whitelist =*, where * =  
ok = 
bad = 

 Note that whilst the URL is Base64 encoded, this does not necessarily mean
 that whitelists are used. Future releases may be proxied via:$page? 

References: advisory 

Patrick Webster ( ) 

Disclosure timeline:
 27-Apr-2006 - Discovered during audit, Squiz notified shortly after.
 07-Jun-2006 - Sent security patch query to Squiz developers.
 09-Jun-2006 - Squiz response - use whitelist function.
 22-Sep-2006 - Public disclosure.


The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an email address, please forward it with full headers to