exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

alexandria.txt

alexandria.txt
Posted Mar 29, 2003
Authored by Ulf Harnhammar | Site secunia.com

Alexandria versions 2.5 and 2.0, the open-source project management system used by Sourceforge, has multiple vulnerabilities in its PHP scripts. In the upload scripts there is a lack of input validation that allows an attacker to remotely retrieve any files off of the system, such as /etc/passwd. Other vulnerabilities including the sendmessage.php script allowing spammers to make use of it to mask real source identities and various cross site scripting problems exist as well.

tags | exploit, php, vulnerability, xss
SHA-256 | 3b8cd898c56ffd9fbcad5f8c4a643c6201ae0184608d07c89c46e5d1ba679c07

alexandria.txt

Change Mirror Download
====================================================================== 

Secunia Research 28/03/2003

- Alexandria-dev / sourceforge multiple vulnerabilities -

======================================================================
Receive Secunia Security Advisories for free:
http://www.secunia.com/subscribe_secunia_security_advisories/?6

======================================================================
Table of Contents
1..............................................Description of software
2.......................................Description of vulnerabilities
3....................................................Affected Software
4.............................................................Severity
5.............................................................Solution
6...........................................................Time Table
7........................................................About Secunia
8..............................................................Credits
9.........................................................Verification

======================================================================
1) Description of software

Alexandria ( http://sourceforge.net/projects/alexandria-dev/ ) is an
open-sourced project management system.

A modified version is used by the highly popular sourceforge.net web
site, which hosts a large percentage of all open source projects.

======================================================================
2) Description of vulnerabilities

a) Upload spoofing

Both Alexandria's "docman/new.php" script and its "patch/index.php"
script have got upload spoofing security holes, that is, they allow
an attacker to fool them into treating any file on the web server
as if it is the uploaded file.

When uploading a file, PHP stores it in a temporary file and
saves its location in the global variable named by the <input
type="file"..> tag's name attribute. The programmer is supposed to
check that the file really was uploaded, by using functions such
as "is_uploaded_file()" or "move_uploaded_file()", but lots of people
forget that.

By POSTing some normal <input type="text"..> data to the two
scripts mentioned above, with the same name attribute as the file
upload, an attacker can exploit this and retrieve "/etc/passwd",
"/etc/local.inc" with SourceForge's database username/password
combination, or other important files.

Here is an example. A normal upload HTML form might look like this:

<form method="POST" enctype="multipart/form-data"
action="script.php">
<input type="file" name="thefile" size="30">
<input type="submit" value="Upload it!">
</form>

To conduct upload spoofing on a vulnerable program like SourceForge,
an attacker can use this form instead:

<form method="POST" enctype="multipart/form-data"
action="script.php">
<input type="text" name="thefile" value="/etc/passwd" size="30">
<input type="submit" value="Upload it!">
</form>

b) Spamming and CRLF Injection

Alexandria's "sendmessage.php" script tries to prevent people from
using it for spamming, by only allowing "To" addresses that contain
the domain of the current Alexandria installation. It is very
easy to get around, though. If the domain is "our-site", a spammer
can use the power of RFC 2822 to construct an e-mail address like
"our-site <mike@someothersite.net>", which will fool Alexandria into
allowing e-mails to mike@someothersite.net, as its domain is found
somewhere in the address.

The "sendmessage.php" script also suffers from CRLF Injection,
allowing people to add new mail headers so that they can send HTML
mails for instance.

c) Cross Site Scripting

Users' real names, users' resumes (under skills profile), short
and long job descriptions as well as short project descriptions
all suffer from Cross Site Scripting problems. This means that
malicious users may steal other users' cookies or perform actions
under their names.

======================================================================
3) Affected Software

At least Alexandria versions 2.5 and 2.0 are vulnerable to these
problems.

WebSite:
http://sourceforge.net/projects/alexandria-dev/

======================================================================
4) Severity

Rating: Highly critical
Impact: Cross Site Scripting
Exposure of system information
Security Bypass
Where: From Remote

======================================================================
5) Solution

There will not be issued a new release. The source code is no longer
supported by SourceForge / VASoftware.

The latest version of the commercial solution "SourceForge Enterprise
Edition" is not believed to be vulnerable.

======================================================================
6) Time Table

19/03/2003 - SourceForge.net contacted
19/03/2003 - SourceForge.net confirmed
21/03/2003 - SourceForge.net asked us to hold until 26/3/2003
28/03/2003 - Vulnerability public disclosure

We have also contacted other sites believed to use code derived from
SourceForge / Alexandria.

======================================================================
7) About Secunia

Secunia collects, validates, assesses and writes advisories regarding
all the latest software vulnerabilities disclosed to the public. These
advisories are gathered in a publicly available database at the
Secunia website:
http://www.secunia.com/

Secunia offers services to our customers enabling them to receive all
relevant vulnerability information to their specific system
configuration.

Secunia offers a FREE mailing list called Secunia Security Advisories:
http://www.secunia.com/subscribe_secunia_security_advisories/?5

======================================================================
8) Credits

Discovered by Ulf Harnhammar

======================================================================
9) Verification

Please verify this advisory by visiting the Secunia website.
http://www.secunia.com/secunia_research/2003-2/

======================================================================

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close