alexandria.txt

2003-03-29T00:00:00
ID PACKETSTORM:30944
Type packetstorm
Reporter Ulf Harnhammar
Modified 2003-03-29T00:00:00

Description

                                        
                                            `======================================================================   
  
Secunia Research 28/03/2003   
  
- Alexandria-dev / sourceforge multiple vulnerabilities -   
  
======================================================================  
Receive Secunia Security Advisories for free:  
http://www.secunia.com/subscribe_secunia_security_advisories/?6   
  
======================================================================   
Table of Contents   
1..............................................Description of software   
2.......................................Description of vulnerabilities   
3....................................................Affected Software   
4.............................................................Severity   
5.............................................................Solution   
6...........................................................Time Table   
7........................................................About Secunia   
8..............................................................Credits   
9.........................................................Verification   
  
======================================================================   
1) Description of software   
  
Alexandria ( http://sourceforge.net/projects/alexandria-dev/ ) is an   
open-sourced project management system.  
  
A modified version is used by the highly popular sourceforge.net web  
site, which hosts a large percentage of all open source projects.   
  
======================================================================   
2) Description of vulnerabilities   
  
a) Upload spoofing   
  
Both Alexandria's "docman/new.php" script and its "patch/index.php"   
script have got upload spoofing security holes, that is, they allow   
an attacker to fool them into treating any file on the web server   
as if it is the uploaded file.   
  
When uploading a file, PHP stores it in a temporary file and   
saves its location in the global variable named by the <input   
type="file"..> tag's name attribute. The programmer is supposed to   
check that the file really was uploaded, by using functions such   
as "is_uploaded_file()" or "move_uploaded_file()", but lots of people   
forget that.   
  
By POSTing some normal <input type="text"..> data to the two   
scripts mentioned above, with the same name attribute as the file   
upload, an attacker can exploit this and retrieve "/etc/passwd",   
"/etc/local.inc" with SourceForge's database username/password  
combination, or other important files.   
  
Here is an example. A normal upload HTML form might look like this:   
  
<form method="POST" enctype="multipart/form-data"   
action="script.php">   
<input type="file" name="thefile" size="30">   
<input type="submit" value="Upload it!">   
</form>   
  
To conduct upload spoofing on a vulnerable program like SourceForge,   
an attacker can use this form instead:   
  
<form method="POST" enctype="multipart/form-data"   
action="script.php">   
<input type="text" name="thefile" value="/etc/passwd" size="30">   
<input type="submit" value="Upload it!">   
</form>   
  
b) Spamming and CRLF Injection   
  
Alexandria's "sendmessage.php" script tries to prevent people from   
using it for spamming, by only allowing "To" addresses that contain   
the domain of the current Alexandria installation. It is very   
easy to get around, though. If the domain is "our-site", a spammer  
can use the power of RFC 2822 to construct an e-mail address like  
"our-site <mike@someothersite.net>", which will fool Alexandria into  
allowing e-mails to mike@someothersite.net, as its domain is found  
somewhere in the address.   
  
The "sendmessage.php" script also suffers from CRLF Injection,   
allowing people to add new mail headers so that they can send HTML   
mails for instance.   
  
c) Cross Site Scripting   
  
Users' real names, users' resumes (under skills profile), short   
and long job descriptions as well as short project descriptions   
all suffer from Cross Site Scripting problems. This means that   
malicious users may steal other users' cookies or perform actions   
under their names.   
  
======================================================================   
3) Affected Software   
  
At least Alexandria versions 2.5 and 2.0 are vulnerable to these   
problems.   
  
WebSite:   
http://sourceforge.net/projects/alexandria-dev/  
  
======================================================================   
4) Severity   
  
Rating: Highly critical   
Impact: Cross Site Scripting   
Exposure of system information   
Security Bypass   
Where: From Remote   
  
======================================================================   
5) Solution   
  
There will not be issued a new release. The source code is no longer  
supported by SourceForge / VASoftware.  
  
The latest version of the commercial solution "SourceForge Enterprise  
Edition" is not believed to be vulnerable.  
  
======================================================================   
6) Time Table   
  
19/03/2003 - SourceForge.net contacted   
19/03/2003 - SourceForge.net confirmed   
21/03/2003 - SourceForge.net asked us to hold until 26/3/2003   
28/03/2003 - Vulnerability public disclosure   
  
We have also contacted other sites believed to use code derived from  
SourceForge / Alexandria.  
  
======================================================================   
7) About Secunia   
  
Secunia collects, validates, assesses and writes advisories regarding   
all the latest software vulnerabilities disclosed to the public. These   
advisories are gathered in a publicly available database at the   
Secunia website:   
http://www.secunia.com/  
  
Secunia offers services to our customers enabling them to receive all   
relevant vulnerability information to their specific system   
configuration.   
  
Secunia offers a FREE mailing list called Secunia Security Advisories:   
http://www.secunia.com/subscribe_secunia_security_advisories/?5   
  
======================================================================   
8) Credits   
  
Discovered by Ulf Harnhammar  
  
======================================================================   
9) Verification   
  
Please verify this advisory by visiting the Secunia website.   
http://www.secunia.com/secunia_research/2003-2/  
  
======================================================================  
  
`