[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

TimeClock - Multiple SQL Injections

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: TimeClock - Multiple SQL Injections
From: marcelabx@xxxxxxxxx
Date: Tue, 2 Feb 2016 21:45:54 GMT

#############################
Exploit Title : Multiple SQL injections
Author:Marcela Benetrix
Date: 02/03/2016
version: 0.995 (older version may be vulnerable too)
software link:http://timeclock-software.net

#############################
Timeclock software

Timeclock-software.net's free software product will be a simple solution to 
allow your employees to record their time in one central location for easy 
access.

##########################
SQL Injection Location


1. http://example.com/view_data.php?period_id
2. http://example.com/edit_type.php?type_id=
3. http://example.com/edit_user.php?user_id=
4. http://example.com/edit_entry.php?time_id=

All of them are vulnerable to Union query and time-based blind.
Preconditions: The attacker must have a valid session in order to exploit it.

5. http://example.com/login.php
username and password parameters were also vulnerable to time-based blind sql 
injection type.


##########################
Vendor Notification
01/27/2015 to: the developers. They replied immediately and included the fix in 
a new release
02/03/2015: Disclosure
#############################

Prev by Date: [SECURITY] [DSA 3465-1] openjdk-6 security update
Next by Date: ASUS RT-N56U Persistent XSS
Previous by thread: [SECURITY] [DSA 3465-1] openjdk-6 security update
Next by thread: ASUS RT-N56U Persistent XSS
Index(es):
- Date
- Thread