====================================================================== Secunia Research 28/03/2003 - Alexandria-dev / sourceforge multiple vulnerabilities - ====================================================================== Receive Secunia Security Advisories for free: http://www.secunia.com/subscribe_secunia_security_advisories/?6 ====================================================================== Table of Contents 1..............................................Description of software 2.......................................Description of vulnerabilities 3....................................................Affected Software 4.............................................................Severity 5.............................................................Solution 6...........................................................Time Table 7........................................................About Secunia 8..............................................................Credits 9.........................................................Verification ====================================================================== 1) Description of software Alexandria ( http://sourceforge.net/projects/alexandria-dev/ ) is an open-sourced project management system. A modified version is used by the highly popular sourceforge.net web site, which hosts a large percentage of all open source projects. ====================================================================== 2) Description of vulnerabilities a) Upload spoofing Both Alexandria's "docman/new.php" script and its "patch/index.php" script have got upload spoofing security holes, that is, they allow an attacker to fool them into treating any file on the web server as if it is the uploaded file. When uploading a file, PHP stores it in a temporary file and saves its location in the global variable named by the tag's name attribute. The programmer is supposed to check that the file really was uploaded, by using functions such as "is_uploaded_file()" or "move_uploaded_file()", but lots of people forget that. By POSTing some normal data to the two scripts mentioned above, with the same name attribute as the file upload, an attacker can exploit this and retrieve "/etc/passwd", "/etc/local.inc" with SourceForge's database username/password combination, or other important files. Here is an example. A normal upload HTML form might look like this:
To conduct upload spoofing on a vulnerable program like SourceForge, an attacker can use this form instead:
b) Spamming and CRLF Injection Alexandria's "sendmessage.php" script tries to prevent people from using it for spamming, by only allowing "To" addresses that contain the domain of the current Alexandria installation. It is very easy to get around, though. If the domain is "our-site", a spammer can use the power of RFC 2822 to construct an e-mail address like "our-site ", which will fool Alexandria into allowing e-mails to mike@someothersite.net, as its domain is found somewhere in the address. The "sendmessage.php" script also suffers from CRLF Injection, allowing people to add new mail headers so that they can send HTML mails for instance. c) Cross Site Scripting Users' real names, users' resumes (under skills profile), short and long job descriptions as well as short project descriptions all suffer from Cross Site Scripting problems. This means that malicious users may steal other users' cookies or perform actions under their names. ====================================================================== 3) Affected Software At least Alexandria versions 2.5 and 2.0 are vulnerable to these problems. WebSite: http://sourceforge.net/projects/alexandria-dev/ ====================================================================== 4) Severity Rating: Highly critical Impact: Cross Site Scripting Exposure of system information Security Bypass Where: From Remote ====================================================================== 5) Solution There will not be issued a new release. The source code is no longer supported by SourceForge / VASoftware. The latest version of the commercial solution "SourceForge Enterprise Edition" is not believed to be vulnerable. ====================================================================== 6) Time Table 19/03/2003 - SourceForge.net contacted 19/03/2003 - SourceForge.net confirmed 21/03/2003 - SourceForge.net asked us to hold until 26/3/2003 28/03/2003 - Vulnerability public disclosure We have also contacted other sites believed to use code derived from SourceForge / Alexandria. ====================================================================== 7) About Secunia Secunia collects, validates, assesses and writes advisories regarding all the latest software vulnerabilities disclosed to the public. These advisories are gathered in a publicly available database at the Secunia website: http://www.secunia.com/ Secunia offers services to our customers enabling them to receive all relevant vulnerability information to their specific system configuration. Secunia offers a FREE mailing list called Secunia Security Advisories: http://www.secunia.com/subscribe_secunia_security_advisories/?5 ====================================================================== 8) Credits Discovered by Ulf Harnhammar ====================================================================== 9) Verification Please verify this advisory by visiting the Secunia website. http://www.secunia.com/secunia_research/2003-2/ ======================================================================