lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20080822154918.4218e8b8@ipso.snappymail.ca>
Date: Fri, 22 Aug 2008 15:49:18 -0700
From: Mike <ipso@...ppymail.ca>
To: bugtraq@...urityfocus.com
Subject: Re: TimeTrex Time and Attendance Cookie Theft

This issue only affects TimeTrex v2.2.12 and older. 

TimeTrex v2.2.13 and newer are patched, the latest version can be
downloaded from:

http://www.timetrex.com/

or

http://sourceforge.net/project/showfiles.php?group_id=174864&package_id=200595

Thanks.


On 21 Aug 2008 16:50:07 -0000
DoZ@...kersCenter.com wrote:

> [HSC] TimeTrex Time and Attendance Cookie Theft
> 
> 
> TimeTrex allows companies to track and monitor employee attendance
> accurately in real-time from anywhere
> 
> in the world. An attacker may leverage these issues to execute
> arbitrary script code in the browser of
> 
> an unsuspecting user in the context of the affected site. Attacker
> can tricks the user's computer into
> 
> running code which is treated as trustworthy because it appears to
> belong to the server, allowing the
> 
> attacker to obtain a copy of the cookie or perform other operations.
> 
> 
> 
> Hackers Center Security Group (http://www.hackerscenter.com)
> Credit: Doz
> 
> Class: Cross Site Scripting
> Remote: Yes
> 
> Product: TimeTrex
> Vendor: http://www.timetrex.com
> Version: N/A
> 
> 
> Attackers can exploit these issues via a web client.
> 
> 
> http://site.com/interface/Login.php?user_name=admin&password=XSS
> http://site.com/interface/Login.php?user_name=XSS
> 
> 
> 
> 
> Google Dork: TimeTrex Time and Attendance - Secure Login
> 
> Reference: 
> 
> http://www.hackerscenter.com/index.php?/HSC-Research-Group/Advisories/HSC-TimeTrex-Time-and-Attendance-Cookie-Theft.html


-- 
Mike (ipso@...ppymail.ca)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ