| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 22 Aug 2008 15:49:18 -0700 From: Mike <ipso@...ppymail.ca> To: bugtraq@...urityfocus.com Subject: Re: TimeTrex Time and Attendance Cookie Theft This issue only affects TimeTrex v2.2.12 and older. TimeTrex v2.2.13 and newer are patched, the latest version can be downloaded from: http://www.timetrex.com/ or http://sourceforge.net/project/showfiles.php?group_id=174864&package_id=200595 Thanks. On 21 Aug 2008 16:50:07 -0000 DoZ@...kersCenter.com wrote: > [HSC] TimeTrex Time and Attendance Cookie Theft > > > TimeTrex allows companies to track and monitor employee attendance > accurately in real-time from anywhere > > in the world. An attacker may leverage these issues to execute > arbitrary script code in the browser of > > an unsuspecting user in the context of the affected site. Attacker > can tricks the user's computer into > > running code which is treated as trustworthy because it appears to > belong to the server, allowing the > > attacker to obtain a copy of the cookie or perform other operations. > > > > Hackers Center Security Group (http://www.hackerscenter.com) > Credit: Doz > > Class: Cross Site Scripting > Remote: Yes > > Product: TimeTrex > Vendor: http://www.timetrex.com > Version: N/A > > > Attackers can exploit these issues via a web client. > > > http://site.com/interface/Login.php?user_name=admin&password=XSS > http://site.com/interface/Login.php?user_name=XSS > > > > > Google Dork: TimeTrex Time and Attendance - Secure Login > > Reference: > > http://www.hackerscenter.com/index.php?/HSC-Research-Group/Advisories/HSC-TimeTrex-Time-and-Attendance-Cookie-Theft.html -- Mike (ipso@...ppymail.ca)
Powered by blists - more mailing lists