Timeclock 0.995 SQL Injection

2016.02.04

Credit: Marcela Benetrix

Risk: Medium

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-89

#############################
Exploit Title : Multiple SQL injections
Author:Marcela Benetrix
Date: 02/03/2016
version: 0.995 (older version may be vulnerable too)
software link:http://timeclock-software.net

#############################
Timeclock software

Timeclock-software.net's free software product will be a simple solution to allow your employees to record their time in one central location for easy access.

##########################
SQL Injection Location


1. http://example.com/view_data.php?period_id
2. http://example.com/edit_type.php?type_id=
3. http://example.com/edit_user.php?user_id=
4. http://example.com/edit_entry.php?time_id=

All of them are vulnerable to Union query and time-based blind.
Preconditions: The attacker must have a valid session in order to exploit it.

5. http://example.com/login.php
username and password parameters were also vulnerable to time-based blind sql injection type.


##########################
Vendor Notification
01/27/2015 to: the developers. They replied immediately and included the fix in a new release
02/03/2015: Disclosure
#############################

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Timeclock 0.995 SQL Injection

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.