Sourceforge.net has been compromised

It may not be as sensational as the headline sounds, but I can say with some surety that one of the projects on Sourceforge.net is compromised. Yapig (Yet Another PHP Image Gallery) project home page (http://yapig.sourceforge.net) is definitely compromised. Normally when you access a project by using the above URL you are generally redirected to a home page outside sourceforge. The sourceforge project home page (http://sourceforge.net/projects/yapig) is still good and it takes you to the intended destination. The other one gives a 403 (Not authorised) error and on drilling down to /demo/photos/photos2291.html from the first link displays pornographic content.

So is it Sourceforge.net that has been compromised, or is it just one of the many projects, I don't know. But what I know is that the security policies and standards on sourceforge are not strong enough (I know they are not. I have an account there and the password is 6 characters and just letters which I know is not good practice). If the entire site would have been compromised then it would clearly have been a work of determined individual or group of individuals. But since only one part of the site has been compromised, it means (at least to me) that the administrator of that part (project) had put weak passwords and security. Every project in sourceforge.net gets a soft quota of 100Mb web space to put whatever they "want" and need to complete the project ("want" in a sense the project memebers may have shell access and can upload arbitrary contents, presumably should be legal contents..., but the users get to control what to put under their project space.) So assuming that project members did not put up this content then definitely someone with malicious intent has done that and is not good news.

It appears that there were some vulnerabilities that have been fixed in the project that are listed on their home page.

* Vulnerability: Cross site scripting on add comment form (#1230491)
* Vulnerability: Save plain text login information in cookies (#1230491)
* Vulnerability: Arbitrary directory removal on upload.php (#1230491)
* Vulnerability: Extension checks on upload.php (#1230491)
* Vulnerability: Arbitrary file Inclusion global.php and last_gallery.php (#1230491)
* Vulnerability: Cross-site Scripting (#1230491)
* Vulnerability: Information disclosure in phid argument of view.php and slideshow.php (#1230491)

Apparently this part of site is compromised from one of these vulnerabilities or another one that is yet to be disclosed / discovered which makes it even scary. This thread is currently active on the Bugtraq and Full-Disclosure mailing lists and I don't think anyone has reported to Sourceforge.net. I have submitted a tracker (http://sourceforge.net/tracker/index.php?func=detail&atid=200001&aid=1650873&group_id=1)  and will try to follow-up on this breach.

Update: It does seem that this is affecting more than one project. Another project that is affected is: http://owl.sourceforge.net/uploads/owl-13.php. I will keep posting updates as I get them.