orangescrum 1.8.0 - Privilege escalation (Authenticated)

vendor:

orangescrum

by:

Hubert Wojciechowski

6.5

CVSS

MEDIUM

Privilege escalation

264

CWE

Product Name: orangescrum

Affected Version From: 1.8.2000

Affected Version To: 1.8.2000

Patch Exists: NO

Related CWE:

CPE: a:orangescrum:orangescrum:1.8.0

Metasploit:

Other Scripts:

Platforms Tested: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23

2021

orangescrum 1.8.0 – Privilege escalation (Authenticated)

The vulnerabilities in the application allow for taking over any account with which the project is assigned. The user must be assigned to the project with the account he wants to take over. The exploit involves going to the dashboard, going to the page source view, finding in source 'var PUSERS', copying 'uniq_id' victim, changing cookie 'USER_UNIQ' to 'USER_UNIQ' victim from page source and after refreshing the page, logging in to the victim's account.

Mitigation:

Ensure that users are assigned to the project with the account they want to take over and that the page source view is not accessible to unauthorized users.

Source

Exploit-DB raw data:

# Exploit Title: orangescrum 1.8.0 - Privilege escalation (Authenticated)
# Date: 07/10/2021
# Exploit Author: Hubert Wojciechowski
# Contact Author: snup.php@gmail.com
# Company: https://redteam.pl
# Vendor Homepage: https://www.orangescrum.org/
# Software Link: https://www.orangescrum.org/
# Version: 1.8.0
# Tested on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23

### Privilege escalation


# The user must be assigned to the project with the account he wants to take over
# The vulnerabilities in the application allow for:

* Taking over any account with which the project is assigned

-----------------------------------------------------------------------------------------------------------------------
# POC
-----------------------------------------------------------------------------------------------------------------------

## Example

1. Go to the dashboard
2. Go to the page source view
3. Find in source "var PUSERS"
4. Copy "uniq_id" victim
5. Change cookie "USER_UNIQ" to "USER_UNIQ" victim from page source
6. After refreshing the page, you are logged in to the victim's account