exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

STG Security Advisory 2005-01-20.24

STG Security Advisory 2005-01-20.24
Posted Jan 25, 2005
Authored by STG Security | Site stgsecurity.com

STG Security Advisory: GForge versions 3.3 and below are susceptible to directory traversal attacks.

tags | exploit
SHA-256 | 8dc2e1f4564aa448435f8b3771a3642f05fd3c4d9e6cbbf1dbd81ef08a7da42a

STG Security Advisory 2005-01-20.24

Change Mirror Download


STG Security Advisory: [SSA-20050120-24] GForge 3.x directory traversal
vulnerability.

Revision 1.0
Date Published: 2005-01-20 (KST)
Last Update: 2005-01-20 (KST)
Disclosed by SSR Team (advisory@stgsecurity.com)

Summary
========
GForge is a software to help collaborative development for software
communities. The software provides a full configured development system with
tools for communication and version control among members of a development
team on a web site. GForge CVS modules have a directory traversal
vulnerability exploited by malicious attackers.

Vulnerability Class
===================
Implementation Error: Input validation flaw

Impact
======
Low : arbitrary directory list disclosure.

Affected Products
================
GForge 3.3 and prior

Not Affected Products
=====================
GForge 4.0 and posterior

Vendor Status: FIXED (GForge 4.0)
====================
2004-12-28 Vulnerability found
2004-12-28 Developers (Dragos Moinescu, Ronald Petty) contacted and
confirmed.
2004-12-28 Dragos Moinescu suggested the workaround of his module.
2004-12-29 Vendor contacted.
2005-01-20 Official release.

Details
=======
GForge CVS module made by Dragos Moinescu and another module made by Ronald
Petty have a directory traversal vulnerability.

$GFORGE/www/scm/controller.php doesn't sanitize $dir variable.
- ---
if(!$dir) {
$dir = $cvsroot;
$files = retrieveDir($dir);
...snip...
} else {
$files = retrieveDir($dir);
- ---

$GFORGE/www/scm/controlleroo.php doesn't sanitize $dir_name variable.
- ---
$DIRNAME = ($dir_name != "")?"/$dir_name":"";
$DIRNAME = $CVSROOT.$DIRNAME;
$DIRPATH = explode("/",$dir_name);
echo("Current directory: ");
for($i=0;$i<count($DIRPATH);$i++)
{
...snip...
if(false === ($dirContent = $DHD->readDirectory($DIRNAME)))
echo("Error: ".$DHD->getError());
...snip...
foreach($dirContent AS $k=>$v)
{
...snip...
$fileLink = ...snip...
- ---

If register_globals = On (in php.ini), malicious attackers can read
arbitrary directory lists.

Proof of Concept
================
1) http://[victim]/scm/controller.php?group_id=[number]
&dir=/cvsroot/[project]/CVSROOT/../../../../../

2) http://[victim]/scm/controlleroo.php?group_id=[number]
&dir_name=../../../&hide_attic=0

Solution
========
Upgrade to GForge 4.x

Workaround
==========
Dragos Moinescu suggested the workaround of his module.
- ---
modify $GFORGE/common/include/cvsweb/DirectoryHandler.class
function openDirectory()
{
if($this->__DIR_NAME == "" || strstr($this->__DIR_NAME, ".."))
{
$this->setError("You must provide a valid directory name");
return false;
}
- ---

But, above workaround doesn't remove the vulnerability in controller.php (by
Ronald Petty).

You can restrict users to use only cvsweb.
modify $GFORGE/www/scm/index.php (follow this step).
1) find '<a href="/scm/controller.php' and delete the found line.
2) find '<a href="/scm/controlleroo.php' and delete the found line.
3) delete controller.php, controlleroo.php, viewFile.php.

Vendor URL
==========
http://www.gforge.org/

Credits
======
Jeremy Bae at STG Security
Login or Register to add favorites

File Archive:

January 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    0 Files
  • 2
    Jan 2nd
    13 Files
  • 3
    Jan 3rd
    5 Files
  • 4
    Jan 4th
    5 Files
  • 5
    Jan 5th
    9 Files
  • 6
    Jan 6th
    5 Files
  • 7
    Jan 7th
    0 Files
  • 8
    Jan 8th
    0 Files
  • 9
    Jan 9th
    18 Files
  • 10
    Jan 10th
    31 Files
  • 11
    Jan 11th
    30 Files
  • 12
    Jan 12th
    33 Files
  • 13
    Jan 13th
    25 Files
  • 14
    Jan 14th
    0 Files
  • 15
    Jan 15th
    0 Files
  • 16
    Jan 16th
    7 Files
  • 17
    Jan 17th
    25 Files
  • 18
    Jan 18th
    38 Files
  • 19
    Jan 19th
    6 Files
  • 20
    Jan 20th
    21 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    24 Files
  • 24
    Jan 24th
    68 Files
  • 25
    Jan 25th
    22 Files
  • 26
    Jan 26th
    20 Files
  • 27
    Jan 27th
    17 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    20 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close