ID PACKETSTORM:35838 Type packetstorm Reporter STG Security Modified 2005-01-25T00:00:00
Description
`
STG Security Advisory: [SSA-20050120-24] GForge 3.x directory traversal
vulnerability.
Revision 1.0
Date Published: 2005-01-20 (KST)
Last Update: 2005-01-20 (KST)
Disclosed by SSR Team (advisory@stgsecurity.com)
Summary
========
GForge is a software to help collaborative development for software
communities. The software provides a full configured development system with
tools for communication and version control among members of a development
team on a web site. GForge CVS modules have a directory traversal
vulnerability exploited by malicious attackers.
Vulnerability Class
===================
Implementation Error: Input validation flaw
Impact
======
Low : arbitrary directory list disclosure.
Affected Products
================
GForge 3.3 and prior
Not Affected Products
=====================
GForge 4.0 and posterior
Vendor Status: FIXED (GForge 4.0)
====================
2004-12-28 Vulnerability found
2004-12-28 Developers (Dragos Moinescu, Ronald Petty) contacted and
confirmed.
2004-12-28 Dragos Moinescu suggested the workaround of his module.
2004-12-29 Vendor contacted.
2005-01-20 Official release.
Details
=======
GForge CVS module made by Dragos Moinescu and another module made by Ronald
Petty have a directory traversal vulnerability.
$GFORGE/www/scm/controller.php doesn't sanitize $dir variable.
- ---
if(!$dir) {
$dir = $cvsroot;
$files = retrieveDir($dir);
...snip...
} else {
$files = retrieveDir($dir);
- ---
$GFORGE/www/scm/controlleroo.php doesn't sanitize $dir_name variable.
- ---
$DIRNAME = ($dir_name != "")?"/$dir_name":"";
$DIRNAME = $CVSROOT.$DIRNAME;
$DIRPATH = explode("/",$dir_name);
echo("Current directory: ");
for($i=0;$i<count($DIRPATH);$i++)
{
...snip...
if(false === ($dirContent = $DHD->readDirectory($DIRNAME)))
echo("Error: ".$DHD->getError());
...snip...
foreach($dirContent AS $k=>$v)
{
...snip...
$fileLink = ...snip...
- ---
If register_globals = On (in php.ini), malicious attackers can read
arbitrary directory lists.
Proof of Concept
================
1) http://[victim]/scm/controller.php?group_id=[number]
&dir=/cvsroot/[project]/CVSROOT/../../../../../
2) http://[victim]/scm/controlleroo.php?group_id=[number]
&dir_name=../../../&hide_attic=0
Solution
========
Upgrade to GForge 4.x
Workaround
==========
Dragos Moinescu suggested the workaround of his module.
- ---
modify $GFORGE/common/include/cvsweb/DirectoryHandler.class
function openDirectory()
{
if($this->__DIR_NAME == "" || strstr($this->__DIR_NAME, ".."))
{
$this->setError("You must provide a valid directory name");
return false;
}
- ---
But, above workaround doesn't remove the vulnerability in controller.php (by
Ronald Petty).
You can restrict users to use only cvsweb.
modify $GFORGE/www/scm/index.php (follow this step).
1) find '<a href="/scm/controller.php' and delete the found line.
2) find '<a href="/scm/controlleroo.php' and delete the found line.
3) delete controller.php, controlleroo.php, viewFile.php.
Vendor URL
==========
http://www.gforge.org/
Credits
======
Jeremy Bae at STG Security
`
{"type": "packetstorm", "published": "2005-01-25T00:00:00", "reporter": "STG Security", "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "d4be9c4fc84262b4f39f89565918568f"}, {"key": "description", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "href", "hash": "5f9a6f9e081b9eda70cdd5d19356b52f"}, {"key": "modified", "hash": "5a5aa8692b8e71a34e18a37d8d07db57"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "published", "hash": "5a5aa8692b8e71a34e18a37d8d07db57"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "5005ae6a54c8b630f8a801fa711cfa91"}, {"key": "sourceData", "hash": "e4990ef5f4205d5ff558fca0aef2d080"}, {"key": "sourceHref", "hash": "6f34513db19f50d49d0ff48bb0a1d88f"}, {"key": "title", "hash": "f8d6fb742226d2af81b7e96adcc79f0f"}, {"key": "type", "hash": "6466ca3735f647eeaed965d9e71bd35d"}], "bulletinFamily": "exploit", "cvss": {"vector": "NONE", "score": 0.0}, "sourceData": "` \n \nSTG Security Advisory: [SSA-20050120-24] GForge 3.x directory traversal \nvulnerability. \n \nRevision 1.0 \nDate Published: 2005-01-20 (KST) \nLast Update: 2005-01-20 (KST) \nDisclosed by SSR Team (advisory@stgsecurity.com) \n \nSummary \n======== \nGForge is a software to help collaborative development for software \ncommunities. The software provides a full configured development system with \ntools for communication and version control among members of a development \nteam on a web site. GForge CVS modules have a directory traversal \nvulnerability exploited by malicious attackers. \n \nVulnerability Class \n=================== \nImplementation Error: Input validation flaw \n \nImpact \n====== \nLow : arbitrary directory list disclosure. \n \nAffected Products \n================ \nGForge 3.3 and prior \n \nNot Affected Products \n===================== \nGForge 4.0 and posterior \n \nVendor Status: FIXED (GForge 4.0) \n==================== \n2004-12-28 Vulnerability found \n2004-12-28 Developers (Dragos Moinescu, Ronald Petty) contacted and \nconfirmed. \n2004-12-28 Dragos Moinescu suggested the workaround of his module. \n2004-12-29 Vendor contacted. \n2005-01-20 Official release. \n \nDetails \n======= \nGForge CVS module made by Dragos Moinescu and another module made by Ronald \nPetty have a directory traversal vulnerability. \n \n$GFORGE/www/scm/controller.php doesn't sanitize $dir variable. \n- --- \nif(!$dir) { \n$dir = $cvsroot; \n$files = retrieveDir($dir); \n...snip... \n} else { \n$files = retrieveDir($dir); \n- --- \n \n$GFORGE/www/scm/controlleroo.php doesn't sanitize $dir_name variable. \n- --- \n$DIRNAME = ($dir_name != \"\")?\"/$dir_name\":\"\"; \n$DIRNAME = $CVSROOT.$DIRNAME; \n$DIRPATH = explode(\"/\",$dir_name); \necho(\"Current directory: \"); \nfor($i=0;$i<count($DIRPATH);$i++) \n{ \n...snip... \nif(false === ($dirContent = $DHD->readDirectory($DIRNAME))) \necho(\"Error: \".$DHD->getError()); \n...snip... \nforeach($dirContent AS $k=>$v) \n{ \n...snip... \n$fileLink = ...snip... \n- --- \n \nIf register_globals = On (in php.ini), malicious attackers can read \narbitrary directory lists. \n \nProof of Concept \n================ \n1) http://[victim]/scm/controller.php?group_id=[number] \n&dir=/cvsroot/[project]/CVSROOT/../../../../../ \n \n2) http://[victim]/scm/controlleroo.php?group_id=[number] \n&dir_name=../../../&hide_attic=0 \n \nSolution \n======== \nUpgrade to GForge 4.x \n \nWorkaround \n========== \nDragos Moinescu suggested the workaround of his module. \n- --- \nmodify $GFORGE/common/include/cvsweb/DirectoryHandler.class \nfunction openDirectory() \n{ \nif($this->__DIR_NAME == \"\" || strstr($this->__DIR_NAME, \"..\")) \n{ \n$this->setError(\"You must provide a valid directory name\"); \nreturn false; \n} \n- --- \n \nBut, above workaround doesn't remove the vulnerability in controller.php (by \nRonald Petty). \n \nYou can restrict users to use only cvsweb. \nmodify $GFORGE/www/scm/index.php (follow this step). \n1) find '<a href=\"/scm/controller.php' and delete the found line. \n2) find '<a href=\"/scm/controlleroo.php' and delete the found line. \n3) delete controller.php, controlleroo.php, viewFile.php. \n \nVendor URL \n========== \nhttp://www.gforge.org/ \n \nCredits \n====== \nJeremy Bae at STG Security \n`\n", "viewCount": 0, "history": [], "lastseen": "2016-11-03T10:22:14", "objectVersion": "1.2", "href": "https://packetstormsecurity.com/files/35838/STG-Security-Advisory-2005-01-20.24.html", "sourceHref": "https://packetstormsecurity.com/files/download/35838/SSA-20050120-24.txt", "title": "STG Security Advisory 2005-01-20.24", "enchantments": {"score": {"vector": "NONE", "value": 7.5}, "vulnersScore": 7.5}, "references": [], "id": "PACKETSTORM:35838", "hash": "fdfbd5d286db51c702409ab4ff084e300b5298d0ca227d0bb72622c18102128f", "edition": 1, "cvelist": [], "modified": "2005-01-25T00:00:00", "description": ""}
