TITLE: PHP-Nuke MyHeadlines Module "myh_op" Cross-Site Scripting
SECUNIA ADVISORY ID: SA21653
VERIFY ADVISORY: http://secunia.com/advisories/21653/
CRITICAL: Less critical
IMPACT: Cross Site Scripting
WHERE: >From remote
SOFTWARE: MyHeadlines 4.x (module for PHP-Nuke)- http://secunia.com/product/11722/
DESCRIPTION: Thomas Pollet has discovered a vulnerability in the MyHeadlines module for PHP-Nuke, which can be exploited by malicious people to conduct cross-site scripting attacks. Input passed to the "myh_op" parameter in modules.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
Example: http://[host]/modules.php?op=modload&name=MyHeadlines&file=index&myh=user&myh_op=show_all[code]&eid=2474
The vulnerability has been confirmed in version 4.3.1. Other versions may also be affected.
SOLUTION: Edit the source code to ensure that input is properly sanitised.
PROVIDED AND/OR DISCOVERED BY: Thomas Pollet
Related
Re: PHP-Nuke MyHeadlines Module *myh_op* Cross-Site Scripting (Score: 1) |  | and we just published a story...? MyHeadlines v4.3.xx: the great NewsScraper and Headlines-grabber that hurts... |
![[Valid RSS]](https://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
