Re: [Full-disclosure] sourceforge entry point seems still active.

Sourceforge has reported a full report of attack. Seems very close to what I
wrote in previous messages and reported in my blog posts related to this

Sourceforge Attack: Full Report

On Tue, Jan 25, 2011 at 9:18 PM, exploit dev <extraexploit@xxxxxxxxx> wrote:

Hi Andrew,

just a reminder: this breach was used by php/python/perl script for get and
save on user directory bot and remote shell. Also you could, as reported
also in owned and exposed zine, launch commands and attempt privilege
escalation. So I'm not so sure that this is not so writable as well i think
is not right sayd that is not critical.


On Tue, Jan 25, 2011 at 8:47 PM, Andrew Farmer <andfarm@xxxxxxxxx> wrote:

On 2011-01-24, at 12:08, exploit dev wrote:
Anyway, I'm sorry repeat my message. I think that this issue is a bit
critical but I don't receive still any feedback,

It's not particularly critical by any means. SourceForge projects all have
their own web space, and there are doubtless a bunch of them running
vulnerable versions of software. These sites are relatively isolated, and
don't have write access to the project's SCM or downloads.


Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -

Relevant Pages

  • Re: OpenSource documentation problems
    ... >> There is just one giant roadblock to that suggestion - Sourceforge ... > either in the content or the presentation, please report the bug at the ... up $VISUAL on a bug report template that it's already partially filled ...
  • Re: OpenSource documentation problems
    ... either in the content or the presentation, please report the bug at the ... Python Bug Tracker at SourceForge." ... So I emailed a general suggestion that error ...
  • Re: Does anyone know why POWDER segfaults on Debian Linux?
    ... separate account for every project for which you want to report a bug... ... If these projects supported OpenID (like Sourceforge) you wouldn't have ...
  • Re: SegFault using deque in 2.4b3
    ... I'll try to report to sourceforge once a bug is confirmed. ... I already checked in a fix and a new test. ...
  • OT: Re: 400 dead soldiers and marines in the month of October 2006...
    ... Insurgent mortar fire hit an American military ammunition dump late ... FOB Falcon is in the central Rasheed district of Baghdad. ... attack on Camp Liberty. ... Stars and Stripes reporter Anita Powell contributed to this report. ...