[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

STG Security Advisory: [SSA-20050120-24] GForge 3.x directory traversal vulnerability

STG Security Advisory: [SSA-20050120-24] GForge 3.x directory traversal

Revision 1.0
Date Published: 2005-01-20 (KST)
Last Update: 2005-01-20 (KST)
Disclosed by SSR Team (advisory@xxxxxxxxxxxxxxx)

GForge is a software to help collaborative development for software
communities. The software provides a full configured development system with
tools for communication and version control among members of a development
team on a web site.  GForge CVS modules have a directory traversal
vulnerability exploited by malicious attackers.

Vulnerability Class
Implementation Error: Input validation flaw

Low : arbitrary directory list disclosure.

Affected Products
GForge 3.3 and prior

Not Affected Products
GForge 4.0 and posterior

Vendor Status: FIXED (GForge 4.0)
2004-12-28 Vulnerability found
2004-12-28 Developers (Dragos Moinescu, Ronald Petty) contacted and
2004-12-28 Dragos Moinescu suggested the workaround of his module.
2004-12-29 Vendor contacted.
2005-01-20 Official release.

GForge CVS module made by Dragos Moinescu and another module made by Ronald
Petty have a directory traversal vulnerability.

$GFORGE/www/scm/controller.php doesn't sanitize $dir variable.
- ---
if(!$dir) {
  $dir = $cvsroot;
  $files = retrieveDir($dir);
} else {
  $files = retrieveDir($dir);
- ---

$GFORGE/www/scm/controlleroo.php doesn't sanitize $dir_name variable.
- ---
$DIRNAME = ($dir_name != "")?"/$dir_name":"";
$DIRPATH = explode("/",$dir_name);
echo("Current directory: ");
if(false === ($dirContent = $DHD->readDirectory($DIRNAME)))
  echo("Error: ".$DHD->getError());
foreach($dirContent AS $k=>$v)
$fileLink = ...snip...
- ---

If register_globals = On (in php.ini), malicious attackers can read
arbitrary directory lists.

Proof of Concept
1) http://[victim]/scm/controller.php?group_id=[number]

2) http://[victim]/scm/controlleroo.php?group_id=[number]

Upgrade to GForge 4.x

Dragos Moinescu suggested the workaround of his module.
- ---
modify $GFORGE/common/include/cvsweb/DirectoryHandler.class
function openDirectory()
  if($this->__DIR_NAME == "" || strstr($this->__DIR_NAME, ".."))
    $this->setError("You must provide a valid directory name");
    return false;
- ---

But, above workaround doesn't remove the vulnerability in controller.php (by
Ronald Petty).

You can restrict users to use only cvsweb.
modify $GFORGE/www/scm/index.php (follow this step).
1) find '<a href="/scm/controller.php' and delete the found line.
2) find '<a href="/scm/controlleroo.php' and delete the found line.
3) delete controller.php, controlleroo.php, viewFile.php.

Vendor URL

Jeremy Bae at STG Security