STG Security Advisory 2005-01-20.24

Type packetstorm
Reporter STG Security
Modified 2005-01-25T00:00:00


STG Security Advisory: [SSA-20050120-24] GForge 3.x directory traversal  
Revision 1.0  
Date Published: 2005-01-20 (KST)  
Last Update: 2005-01-20 (KST)  
Disclosed by SSR Team (  
GForge is a software to help collaborative development for software  
communities. The software provides a full configured development system with  
tools for communication and version control among members of a development  
team on a web site. GForge CVS modules have a directory traversal  
vulnerability exploited by malicious attackers.  
Vulnerability Class  
Implementation Error: Input validation flaw  
Low : arbitrary directory list disclosure.  
Affected Products  
GForge 3.3 and prior  
Not Affected Products  
GForge 4.0 and posterior  
Vendor Status: FIXED (GForge 4.0)  
2004-12-28 Vulnerability found  
2004-12-28 Developers (Dragos Moinescu, Ronald Petty) contacted and  
2004-12-28 Dragos Moinescu suggested the workaround of his module.  
2004-12-29 Vendor contacted.  
2005-01-20 Official release.  
GForge CVS module made by Dragos Moinescu and another module made by Ronald  
Petty have a directory traversal vulnerability.  
$GFORGE/www/scm/controller.php doesn't sanitize $dir variable.  
- ---  
if(!$dir) {  
$dir = $cvsroot;  
$files = retrieveDir($dir);  
} else {  
$files = retrieveDir($dir);  
- ---  
$GFORGE/www/scm/controlleroo.php doesn't sanitize $dir_name variable.  
- ---  
$DIRNAME = ($dir_name != "")?"/$dir_name":"";  
$DIRPATH = explode("/",$dir_name);  
echo("Current directory: ");  
if(false === ($dirContent = $DHD->readDirectory($DIRNAME)))  
echo("Error: ".$DHD->getError());  
foreach($dirContent AS $k=>$v)  
$fileLink = ...snip...  
- ---  
If register_globals = On (in php.ini), malicious attackers can read  
arbitrary directory lists.  
Proof of Concept  
1) http://[victim]/scm/controller.php?group_id=[number]  
2) http://[victim]/scm/controlleroo.php?group_id=[number]  
Upgrade to GForge 4.x  
Dragos Moinescu suggested the workaround of his module.  
- ---  
modify $GFORGE/common/include/cvsweb/DirectoryHandler.class  
function openDirectory()  
if($this->__DIR_NAME == "" || strstr($this->__DIR_NAME, ".."))  
$this->setError("You must provide a valid directory name");  
return false;  
- ---  
But, above workaround doesn't remove the vulnerability in controller.php (by  
Ronald Petty).  
You can restrict users to use only cvsweb.  
modify $GFORGE/www/scm/index.php (follow this step).  
1) find '<a href="/scm/controller.php' and delete the found line.  
2) find '<a href="/scm/controlleroo.php' and delete the found line.  
3) delete controller.php, controlleroo.php, viewFile.php.  
Vendor URL  
Jeremy Bae at STG Security