GForge 3.x - Arbitrary Command Execution

2005-05-24T00:00:00
ID EXPLOITPACK:D907446DE642D6B5E431499E13BA5395
Type exploitpack
Reporter Filippo Spike Morelli
Modified 2005-05-24T00:00:00

Description

GForge 3.x - Arbitrary Command Execution

                                        
                                            source: https://www.securityfocus.com/bid/13716/info

GForge is affected by a remote command execution vulnerability.

This issue arises because the application fails to sanitize user-supplied data passed through URI parameters.

An attacker can supply arbitrary shell commands through the affected parameter to be executed in the context of the affected server.

GForge versions prior to 4.0 are vulnerable to this issue. 

GET /scm/viewFile.php?group_id=11&file_name=%0Auname%20-a;id;w%0a