Orangescrum 1.6.1 can be downloaded from their official site (https://www.orangescrum.org) or here (if the latest official version is above 1.6.1)

I have contacted the developer twice, and their customer support once, but no response at all.

The vulnerability lies on upload file feature in task attachment(s). No file type or any other filtering is present (except size limits). So, basically we can upload any file.

orangescrum-upload-1

Then the file copied to the upload directory (app/webroot/files/case_files), without any changes. In this case, I have uploaded file shell.php and copied into app/webroot/files/case_files/shell.php

orangescrum-upload-2

Look at the code in app/Controller/EasycasesController.php

orangescrum-upload-3php-code.png

We can upload any file, and will be copied to the upload directory with the exact same name and extension (if there is no file with same name).

Condition to match : constant USE_S3 is 0 ( if using AWS S3 Bucket then set it to 1)orangescrum-constant-s3

I wrote an exploit to exploit this vulnerability that can be downloaded here

How to use the exploit

orangescrum-new-sc

 

Other related links :

https://cupuzone.wordpress.com/2017/07/14/orangescrum-1-6-1-multiple-vulnerabilities-2-arbitraty-file-copyoverwrite/
https://cupuzone.wordpress.com/2017/07/14/orangescrum-1-6-1-multiple-vulnerabilities-3-persistent-xss/
https://cupuzone.wordpress.com/2017/07/14/orangescrum-1-6-1-multiple-vulnerabilities-4-sql-injection/

Advertisements