CVE-2009-3304

Name of the Vulnerable Software and Affected Versions GForge versions 4.5.14, 4.7 rc2, 4.8.2

Description The issue allows local users to overwrite arbitrary files via a symlink attack on authorized keys files in users' home directories. This is related to the deb-specific/ssh dump update.pl and cronjobs/cvs-cron/ssh create.php scripts.

Recommendations For version 4.5.14, consider restricting access to the ssh dump update.pl script until a fix is available. For version 4.7 rc2, avoid using the ssh create.php script in cronjobs/cvs-cron until the issue is resolved. For version 4.8.2, as a temporary workaround, consider disabling the execution of cronjobs/cvs-cron/ssh create.php to minimize the risk of exploitation.