[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20050120051735.2832.qmail@www.securityfocus.com>
Date: 20 Jan 2005 05:17:35 -0000
From: <advisory@...security.com>
To: bugtraq@...urityfocus.com
Subject: STG Security Advisory: [SSA-20050120-24] GForge 3.x directory
traversal vulnerability
STG Security Advisory: [SSA-20050120-24] GForge 3.x directory traversal
vulnerability.
Revision 1.0
Date Published: 2005-01-20 (KST)
Last Update: 2005-01-20 (KST)
Disclosed by SSR Team (advisory@...security.com)
Summary
========
GForge is a software to help collaborative development for software
communities. The software provides a full configured development system with
tools for communication and version control among members of a development
team on a web site. GForge CVS modules have a directory traversal
vulnerability exploited by malicious attackers.
Vulnerability Class
===================
Implementation Error: Input validation flaw
Impact
======
Low : arbitrary directory list disclosure.
Affected Products
================
GForge 3.3 and prior
Not Affected Products
=====================
GForge 4.0 and posterior
Vendor Status: FIXED (GForge 4.0)
====================
2004-12-28 Vulnerability found
2004-12-28 Developers (Dragos Moinescu, Ronald Petty) contacted and
confirmed.
2004-12-28 Dragos Moinescu suggested the workaround of his module.
2004-12-29 Vendor contacted.
2005-01-20 Official release.
Details
=======
GForge CVS module made by Dragos Moinescu and another module made by Ronald
Petty have a directory traversal vulnerability.
$GFORGE/www/scm/controller.php doesn't sanitize $dir variable.
- ---
if(!$dir) {
$dir = $cvsroot;
$files = retrieveDir($dir);
...snip...
} else {
$files = retrieveDir($dir);
- ---
$GFORGE/www/scm/controlleroo.php doesn't sanitize $dir_name variable.
- ---
$DIRNAME = ($dir_name != "")?"/$dir_name":"";
$DIRNAME = $CVSROOT.$DIRNAME;
$DIRPATH = explode("/",$dir_name);
echo("Current directory: ");
for($i=0;$i<count($DIRPATH);$i++)
{
...snip...
if(false === ($dirContent = $DHD->readDirectory($DIRNAME)))
echo("Error: ".$DHD->getError());
...snip...
foreach($dirContent AS $k=>$v)
{
...snip...
$fileLink = ...snip...
- ---
If register_globals = On (in php.ini), malicious attackers can read
arbitrary directory lists.
Proof of Concept
================
1) http://[victim]/scm/controller.php?group_id=[number]
&dir=/cvsroot/[project]/CVSROOT/../../../../../
2) http://[victim]/scm/controlleroo.php?group_id=[number]
&dir_name=../../../&hide_attic=0
Solution
========
Upgrade to GForge 4.x
Workaround
==========
Dragos Moinescu suggested the workaround of his module.
- ---
modify $GFORGE/common/include/cvsweb/DirectoryHandler.class
function openDirectory()
{
if($this->__DIR_NAME == "" || strstr($this->__DIR_NAME, ".."))
{
$this->setError("You must provide a valid directory name");
return false;
}
- ---
But, above workaround doesn't remove the vulnerability in controller.php (by
Ronald Petty).
You can restrict users to use only cvsweb.
modify $GFORGE/www/scm/index.php (follow this step).
1) find '<a href="/scm/controller.php' and delete the found line.
2) find '<a href="/scm/controlleroo.php' and delete the found line.
3) delete controller.php, controlleroo.php, viewFile.php.
Vendor URL
==========
http://www.gforge.org/
Credits
======
Jeremy Bae at STG Security
Powered by blists - more mailing lists