STG Security Advisory: [SSA-20050120-24] GForge 3.x directory traversal vulnerability

advisory_at_stgsecurity.com
Date: 01/20/05

  • Next message: advisory_at_stgsecurity.com: "STG Security Advisory: [SSA-20050120-22] JSBoard file disclosure vulnerability"
    Date: 20 Jan 2005 05:17:35 -0000
    To: bugtraq@securityfocus.com
    
    
    ('binary' encoding is not supported, stored as-is)

    STG Security Advisory: [SSA-20050120-24] GForge 3.x directory traversal
    vulnerability.

    Revision 1.0
    Date Published: 2005-01-20 (KST)
    Last Update: 2005-01-20 (KST)
    Disclosed by SSR Team (advisory@stgsecurity.com)

    Summary
    ========
    GForge is a software to help collaborative development for software
    communities. The software provides a full configured development system with
    tools for communication and version control among members of a development
    team on a web site. GForge CVS modules have a directory traversal
    vulnerability exploited by malicious attackers.

    Vulnerability Class
    ===================
    Implementation Error: Input validation flaw

    Impact
    ======
    Low : arbitrary directory list disclosure.

    Affected Products
    ================
    GForge 3.3 and prior

    Not Affected Products
    =====================
    GForge 4.0 and posterior

    Vendor Status: FIXED (GForge 4.0)
    ====================
    2004-12-28 Vulnerability found
    2004-12-28 Developers (Dragos Moinescu, Ronald Petty) contacted and
    confirmed.
    2004-12-28 Dragos Moinescu suggested the workaround of his module.
    2004-12-29 Vendor contacted.
    2005-01-20 Official release.

    Details
    =======
    GForge CVS module made by Dragos Moinescu and another module made by Ronald
    Petty have a directory traversal vulnerability.

    $GFORGE/www/scm/controller.php doesn't sanitize $dir variable.
    - ---
    if(!$dir) {
      $dir = $cvsroot;
      $files = retrieveDir($dir);
    ...snip...
    } else {
      $files = retrieveDir($dir);
    - ---

    $GFORGE/www/scm/controlleroo.php doesn't sanitize $dir_name variable.
    - ---
    $DIRNAME = ($dir_name != "")?"/$dir_name":"";
    $DIRNAME = $CVSROOT.$DIRNAME;
    $DIRPATH = explode("/",$dir_name);
    echo("Current directory: ");
    for($i=0;$i<count($DIRPATH);$i++)
    {
    ...snip...
    if(false === ($dirContent = $DHD->readDirectory($DIRNAME)))
      echo("Error: ".$DHD->getError());
    ...snip...
    foreach($dirContent AS $k=>$v)
    {
    ...snip...
    $fileLink = ...snip...
    - ---

    If register_globals = On (in php.ini), malicious attackers can read
    arbitrary directory lists.

    Proof of Concept
    ================
    1) http://[victim]/scm/controller.php?group_id=[number]
    &dir=/cvsroot/[project]/CVSROOT/../../../../../

    2) http://[victim]/scm/controlleroo.php?group_id=[number]
    &dir_name=../../../&hide_attic=0

    Solution
    ========
    Upgrade to GForge 4.x

    Workaround
    ==========
    Dragos Moinescu suggested the workaround of his module.
    - ---
    modify $GFORGE/common/include/cvsweb/DirectoryHandler.class
    function openDirectory()
    {
      if($this->__DIR_NAME == "" || strstr($this->__DIR_NAME, ".."))
      {
        $this->setError("You must provide a valid directory name");
        return false;
      }
    - ---

    But, above workaround doesn't remove the vulnerability in controller.php (by
    Ronald Petty).

    You can restrict users to use only cvsweb.
    modify $GFORGE/www/scm/index.php (follow this step).
    1) find '<a href="/scm/controller.php' and delete the found line.
    2) find '<a href="/scm/controlleroo.php' and delete the found line.
    3) delete controller.php, controlleroo.php, viewFile.php.

    Vendor URL
    ==========
    http://www.gforge.org/

    Credits
    ======
    Jeremy Bae at STG Security


  • Next message: advisory_at_stgsecurity.com: "STG Security Advisory: [SSA-20050120-22] JSBoard file disclosure vulnerability"