The second bug of orangescrum 1.6.1 I want to discuss is arbitrary file copy/overwrite.

Ok lets start

Open menu “Users“, then click on an image profile, open in new tab. It will open new tab with url like this http://localhost/orangescrum/users/image_thumb/?type=photos&file=a6ebd6bd62ba537f37b7b8ac40aa626d.png&sizex=94&sizey=94&quality=100

orangescrum-cp

It shows the image profile of  the user.

orangescrum-cp2

The file is physically located at app/webroot/files/photosorangesss.png

Now we try to modify the url

http://localhost/orangescrum/users/image_thumb/?type=photos&file=../../img/filter_icon.png&sizex=100&sizey=100&quality=100

It opens a file that is located at webroot/img/filter_icon.png

orangescrummm

Hmmmmmmmm, so, how to copy anything into anything like I said before?

Lets take a look at the code. The code to process the url we talked about is in app/webroot/users/image_thumb/index.php at function image_thumb.

Screenshot from 2017-07-13 12-48-59

It calls another function GenerateThumbFile that located at app/webroot/users/image_thumb/ImageComponent.php

orangescrumshsh

TLDR 😀 😀 It will copy the image if these condition is met :

  1. value of get variable sizex must equal to real width of the image
  2. value of get variable sizey must equal to real height of the image
  3. $this->image_type is true, dont worry it is true by default
  4. we must provide name file destination. we can provide it in get parameter dest
  5. USE_S3 is set to 0 (default is 0)

orangescrumgjgj

Ok, lets try to copy file filter_icon.png into app/webroot/file/photos/hacked.php

So, the url will be http://localhost/orangescrum/users/image_thumb/?type=photos&file=../../img/filter_icon.png&sizex=13&sizey=14&quality=100&dest=hacked.php

File filter_icon.png will be copied into app/webroot/users/image_thumb/hacked.php

orangescrumyjyj

Now we try to overwrite file hacked.php with file a6ebd6bd62ba537f37b7b8ac40aa626d.png , so we modify the url into http://localhost/orangescrum/users/image_thumb/?type=photos&file=a6ebd6bd62ba537f37b7b8ac40aa626d.png&sizex=120&sizey=120&quality=100&dest=hacked.php

orangescrumgkgkg

orangescrumdbdb.png

What if we change our image profile with some image-exif-injected-php file and do like above?? I tried and succeed. You can try by yourself

 

Other related links :

https://cupuzone.wordpress.com/2017/07/12/orangescrum-1-6-1-multiple-vulnerabilities-1-arbitraty-file-upload/
https://cupuzone.wordpress.com/2017/07/14/orangescrum-1-6-1-multiple-vulnerabilities-3-persistent-xss/
https://cupuzone.wordpress.com/2017/07/14/orangescrum-1-6-1-multiple-vulnerabilities-4-sql-injection/