Package: gforge Version: 3.1-26 Severity: grave Tags: security sarge sid patch
The sid/sarge version seems to be vulnerable to this. Please correct it. The correction should be in the GForge CVS, otherwise sanitising the dir should be easy (i.e. recursively strip "../"). Candidate: CAN-2005-0299 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0299 Reference: BUGTRAQ:20050120 STG Security Advisory: [SSA-20050120-24] GForge 3.x directory Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=110627132209963&w=2 Reference: BID:12318 Reference: URL:http://www.securityfocus.com/bid/12318 Reference: XF:gforge-dir-dirname-directory-traversal(18988) Reference: URL:http://xforce.iss.net/xforce/xfdb/18988 Directory traversal vulnerability in GForge 3.3 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the (1) dir parameter to controller.php or (2) dir_name parameter to controlleroo.php. Regards, Joey -- The good thing about standards is that there are so many to choose from. -- Andrew S. Tanenbaum Please always Cc to me when replying to me on the lists. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
