Vulners
Lucene search
STG Security Advisory 2005-01-20.24
`
STG Security Advisory: [SSA-20050120-24] GForge 3.x directory traversal
vulnerability.
Revision 1.0
Date Published: 2005-01-20 (KST)
Last Update: 2005-01-20 (KST)
Disclosed by SSR Team ([email protected])
Summary
========
GForge is a software to help collaborative development for software
communities. The software provides a full configured development system with
tools for communication and version control among members of a development
team on a web site. GForge CVS modules have a directory traversal
vulnerability exploited by malicious attackers.
Vulnerability Class
===================
Implementation Error: Input validation flaw
Impact
======
Low : arbitrary directory list disclosure.
Affected Products
================
GForge 3.3 and prior
Not Affected Products
=====================
GForge 4.0 and posterior
Vendor Status: FIXED (GForge 4.0)
====================
2004-12-28 Vulnerability found
2004-12-28 Developers (Dragos Moinescu, Ronald Petty) contacted and
confirmed.
2004-12-28 Dragos Moinescu suggested the workaround of his module.
2004-12-29 Vendor contacted.
2005-01-20 Official release.
Details
=======
GForge CVS module made by Dragos Moinescu and another module made by Ronald
Petty have a directory traversal vulnerability.
$GFORGE/www/scm/controller.php doesn't sanitize $dir variable.
- ---
if(!$dir) {
$dir = $cvsroot;
$files = retrieveDir($dir);
...snip...
} else {
$files = retrieveDir($dir);
- ---
$GFORGE/www/scm/controlleroo.php doesn't sanitize $dir_name variable.
- ---
$DIRNAME = ($dir_name != "")?"/$dir_name":"";
$DIRNAME = $CVSROOT.$DIRNAME;
$DIRPATH = explode("/",$dir_name);
echo("Current directory: ");
for($i=0;$i<count($DIRPATH);$i++)
{
...snip...
if(false === ($dirContent = $DHD->readDirectory($DIRNAME)))
echo("Error: ".$DHD->getError());
...snip...
foreach($dirContent AS $k=>$v)
{
...snip...
$fileLink = ...snip...
- ---
If register_globals = On (in php.ini), malicious attackers can read
arbitrary directory lists.
Proof of Concept
================
1) http://[victim]/scm/controller.php?group_id=[number]
&dir=/cvsroot/[project]/CVSROOT/../../../../../
2) http://[victim]/scm/controlleroo.php?group_id=[number]
&dir_name=../../../&hide_attic=0
Solution
========
Upgrade to GForge 4.x
Workaround
==========
Dragos Moinescu suggested the workaround of his module.
- ---
modify $GFORGE/common/include/cvsweb/DirectoryHandler.class
function openDirectory()
{
if($this->__DIR_NAME == "" || strstr($this->__DIR_NAME, ".."))
{
$this->setError("You must provide a valid directory name");
return false;
}
- ---
But, above workaround doesn't remove the vulnerability in controller.php (by
Ronald Petty).
You can restrict users to use only cvsweb.
modify $GFORGE/www/scm/index.php (follow this step).
1) find '<a href="/scm/controller.php' and delete the found line.
2) find '<a href="/scm/controlleroo.php' and delete the found line.
3) delete controller.php, controlleroo.php, viewFile.php.
Vendor URL
==========
http://www.gforge.org/
Credits
======
Jeremy Bae at STG Security
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
25 Jan 2005 00:00Current
0.5Low risk
Vulners AI Score0.5