Now we will discuss SQL Injection. Orangescrum 1.6.1 suffer from SQL Injection (time based blind sql injection) in (one of many) this place http://localhost/orangescrum/easycases/ajax_change_AssignTo

orangescrum-sqlihdjhj.png

The vulnerable code is

orangescrum-sqli

Look at $sqldata, variable $caseId is not sanitized.

A little edit of the code, I want to show you how SQL Injection work on this query.

orangescrum-sqli2.png

By using a piece of python, lets see the result of injections

orangescrum-sql-blind

 

Other related links :

https://cupuzone.wordpress.com/2017/07/12/orangescrum-1-6-1-multiple-vulnerabilities-1-arbitraty-file-upload/
https://cupuzone.wordpress.com/2017/07/14/orangescrum-1-6-1-multiple-vulnerabilities-2-arbitraty-file-copyoverwrite/
https://cupuzone.wordpress.com/2017/07/14/orangescrum-1-6-1-multiple-vulnerabilities-3-persistent-xss/