[原文]Cross-site scripting (XSS) vulnerability in MyNewsGroups 0.4 and 0.4.1 allows remote attackers to inject arbitrary web script or HTML via the subject of a newsgroup post, which is not properly handled by (1) myarticles.php, (2) search.php, (3) stats.php, or (4) standard.lib.php.
Ulf Harnhammar of VSU Security has released a patch for v0.4.1 addressing this issue. This third party patch has not been tested. Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: firstname.lastname@example.org . Carlos Sanchez Valle MyNewsGroups :) 0.4.1
MyNewsGroups myarticles.php Newsgroup Post Subject XSS
Remote / Network Access
Loss of Integrity
MyNewsGroups contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the 'myarticles.php' script does not validate the subject of newsgroup posts. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
Currently, there are no known workarounds or upgrades to correct this issue. However, Ulf Harnhammar has released an unofficial patch to address this vulnerability.
As with all third-party solutions, ensure they come from a reliable source and are permitted under your company's security policy.