[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Gforge-devel] [ gforge-Bugs-270 ] Security hole in Alexandria
From: |
noreply |
Subject: |
[Gforge-devel] [ gforge-Bugs-270 ] Security hole in Alexandria |
Date: |
Sun, 30 Mar 2003 12:35:43 -0600 |
Bugs item #270, was opened at 2003-03-30 13:35
You can respond by visiting:
http://gforge.org/tracker/?func=detail&atid=105&aid=270&group_id=1
Category: File Release System
Group: None
Status: Open
Priority: 5
Submitted By: Yakov Shafranovich (yakovsh)
Assigned to: Nobody (None)
Summary: Security hole in Alexandria
Initial Comment:
The following security hole has been found in
SourceForge Alexandria code. Since gForge is based on
that code, we might be affected.
-----------------------------------
Mailing-List: contact address@hidden; run
by ezmlm
Precedence: bulk
List-Post: <mailto:address@hidden>
List-Help: <mailto:address@hidden>
List-Unsubscribe: <mailto:
address@hidden>
List-Subscribe: <mailto:address@hidden
org>
Delivered-To: mailing list address@hidden
Delivered-To: moderator for address@hidden
Received: (qmail 15513 invoked from network); 28 Mar
2003 13:58:00 -0000
From: Thomas Kristensen <address@hidden>
To: address@hidden
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
X-Mailer: Ximian Evolution 1.0.8 (1.0.8-11)
Date: 28 Mar 2003 14:54:33 +0100
Message-Id: <address@hidden>
Mime-Version: 1.0
Subject: [VulnWatch] Alexandria-dev / sourceforge
multiple vulnerabilities
Status: U
X-UIDL: 25125
=======================================================
===============
Secunia Research 28/03/2003
- Alexandria-dev / sourceforge multiple
vulnerabilities -
=======================================================
===============
Receive Secunia Security Advisories for free:
http://www.secunia.
com/subscribe_secunia_security_advisories/?6
=======================================================
===============
Table of Contents
1..............................................
Description of software
2.......................................Description of
vulnerabilities
3....................................................
Affected Software
4......................................................
.......Severity
5......................................................
.......Solution
6......................................................
.....Time Table
7......................................................
..About Secunia
8......................................................
........Credits
9......................................................
...Verification
=======================================================
===============
1) Description of software
Alexandria ( http://sourceforge.
net/projects/alexandria-dev/ ) is an
open-sourced project management system.
A modified version is used by the highly popular
sourceforge.net web
site, which hosts a large percentage of all open source
projects.
=======================================================
===============
2) Description of vulnerabilities
a) Upload spoofing
Both Alexandria's "docman/new.php" script and its
"patch/index.php"
script have got upload spoofing security holes, that
is, they allow
an attacker to fool them into treating any file on the
web server
as if it is the uploaded file.
When uploading a file, PHP stores it in a temporary
file and
saves its location in the global variable named by the
<input
type="file"..> tag's name attribute. The programmer is
supposed to
check that the file really was uploaded, by using
functions such
as "is_uploaded_file()" or "move_uploaded_file()", but
lots of people
forget that.
By POSTing some normal <input type="text"..> data to
the two
scripts mentioned above, with the same name attribute
as the file
upload, an attacker can exploit this and retrieve
"/etc/passwd",
"/etc/local.inc" with SourceForge's database
username/password
combination, or other important files.
Here is an example. A normal upload HTML form might
look like this:
<form method="POST" enctype="multipart/form-data"
action="script.php">
<input type="file" name="thefile" size="30">
<input type="submit" value="Upload it!">
</form>
To conduct upload spoofing on a vulnerable program like
SourceForge,
an attacker can use this form instead:
<form method="POST" enctype="multipart/form-data"
action="script.php">
<input type="text" name="thefile" value="/etc/passwd"
size="30">
<input type="submit" value="Upload it!">
</form>
b) Spamming and CRLF Injection
Alexandria's "sendmessage.php" script tries to prevent
people from
using it for spamming, by only allowing "To" addresses
that contain
the domain of the current Alexandria installation. It
is very
easy to get around, though. If the domain is
"our-site", a spammer
can use the power of RFC 2822 to construct an e-mail
address like
"our-site <address@hidden>", which will fool
Alexandria into
allowing e-mails to address@hidden, as its
domain is found
somewhere in the address.
The "sendmessage.php" script also suffers from CRLF
Injection,
allowing people to add new mail headers so that they
can send HTML
mails for instance.
c) Cross Site Scripting
Users' real names, users' resumes (under skills
profile), short
and long job descriptions as well as short project
descriptions
all suffer from Cross Site Scripting problems. This
means that
malicious users may steal other users' cookies or
perform actions
under their names.
=======================================================
===============
3) Affected Software
At least Alexandria versions 2.5 and 2.0 are vulnerable
to these
problems.
WebSite:
http://sourceforge.net/projects/alexandria-dev/
=======================================================
===============
4) Severity
Rating: Highly critical
Impact: Cross Site Scripting
Exposure of system information
Security Bypass
Where: From Remote
=======================================================
===============
5) Solution
There will not be issued a new release. The source code
is no longer
supported by SourceForge / VASoftware.
The latest version of the commercial solution
"SourceForge Enterprise
Edition" is not believed to be vulnerable.
=======================================================
===============
6) Time Table
19/03/2003 - SourceForge.net contacted
19/03/2003 - SourceForge.net confirmed
21/03/2003 - SourceForge.net asked us to hold until
26/3/2003
28/03/2003 - Vulnerability public disclosure
We have also contacted other sites believed to use code
derived from
SourceForge / Alexandria.
=======================================================
===============
7) About Secunia
Secunia collects, validates, assesses and writes
advisories regarding
all the latest software vulnerabilities disclosed to
the public. These
advisories are gathered in a publicly available
database at the
Secunia website:
http://www.secunia.com/
Secunia offers services to our customers enabling them
to receive all
relevant vulnerability information to their specific
system
configuration.
Secunia offers a FREE mailing list called Secunia
Security Advisories:
http://www.secunia.
com/subscribe_secunia_security_advisories/?5
=======================================================
===============
8) Credits
Discovered by Ulf Harnhammar
=======================================================
===============
9) Verification
Please verify this advisory by visiting the Secunia
website.
http://www.secunia.com/secunia_research/2003-2/
=======================================================
===============
----------------------------------------------------------------------
You can respond by visiting:
http://gforge.org/tracker/?func=detail&atid=105&aid=270&group_id=1
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Gforge-devel] [ gforge-Bugs-270 ] Security hole in Alexandria,
noreply <=