GForge Multiple Information Disclosure Vulnerabilities

Bugtraq ID:	12318
Class:	Input Validation Error
CVE:
Remote:	Yes
Local:	No
Published:	Jan 20 2005 12:00AM
Updated:	Jan 20 2005 12:00AM
Credit:	Discovery of these vulnerabilities is credited to Jeremy Bae.
Vulnerable:	GForge GForge 3.21 GForge GForge 3.3 GForge GForge 3.2 GForge GForge 3.1 + Debian Linux 3.1 sparc + Debian Linux 3.1 s/390 + Debian Linux 3.1 ppc + Debian Linux 3.1 mipsel + Debian Linux 3.1 mips + Debian Linux 3.1 m68k + Debian Linux 3.1 ia-64 + Debian Linux 3.1 ia-32 + Debian Linux 3.1 hppa + Debian Linux 3.1 arm + Debian Linux 3.1 amd64 + Debian Linux 3.1 alpha + Debian Linux 3.1
Not Vulnerable:	GForge GForge 4.0

GForge Multiple Information Disclosure Vulnerabilities

GForge is reported prone to multiple input validation vulnerabilities that may be exploited to disclose directory listings outside of the designated CVS root directory. The vulnerabilites exist due to a lack of sufficient sanitization performed on user supplied URI parameters.

Information that is disclosed in this manner may be used to aid in further attacks that are launched against the target computer.

GForge Multiple Information Disclosure Vulnerabilities

No exploit is required.

GForge Multiple Information Disclosure Vulnerabilities

Solution:
It is reported that these issues are addressed in the 4.x tree of GForge, this is not confirmed. Customers are advised to contact the vendor for details in regards to obtaining and applying an appropriate update.

Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.

GForge Multiple Information Disclosure Vulnerabilities

References:

• GForge Homepage (GForge)
  
• STG Security Advisory: [SSA-20050120-24] GForge 3.x directory traversal vulnera ()