FusionForge Apache Configuration Vulnerability Allowing Script Execution from SCM Repositories

A vulnerability exists in FusionForge versions prior to 5.3+20140506, specifically within the Apache configuration provided with the software. This issue allows the web server to execute scripts uploaded by users to their raw source control management (SCM) repositories, such as SVN, Git, and Bazaar. The vulnerability can be exploited by providing file-level access to the raw repositories, bypassing standard SCM commands. It's important to note that scripts normally committed to the repositories may not be executed through this vulnerability.

Impact

Exploitation of this vulnerability could lead to unauthorized execution of scripts on the web server, potentially allowing for malicious actions to be performed in the context of the server.

Remediation

Users can manually update their Apache configuration file to the fixed version available in the FusionForge Git repository. An updated 5.2 release is also being prepared for new installations.