lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-Id: <201602022145.u12LjsGV026878@sf01web3.securityfocus.com> Date: Tue, 2 Feb 2016 21:45:54 GMT From: marcelabx@...il.com To: bugtraq@...urityfocus.com Subject: TimeClock - Multiple SQL Injections ############################# Exploit Title : Multiple SQL injections Author:Marcela Benetrix Date: 02/03/2016 version: 0.995 (older version may be vulnerable too) software link:http://timeclock-software.net ############################# Timeclock software Timeclock-software.net's free software product will be a simple solution to allow your employees to record their time in one central location for easy access. ########################## SQL Injection Location 1. http://example.com/view_data.php?period_id 2. http://example.com/edit_type.php?type_id= 3. http://example.com/edit_user.php?user_id= 4. http://example.com/edit_entry.php?time_id= All of them are vulnerable to Union query and time-based blind. Preconditions: The attacker must have a valid session in order to exploit it. 5. http://example.com/login.php username and password parameters were also vulnerable to time-based blind sql injection type. ########################## Vendor Notification 01/27/2015 to: the developers. They replied immediately and included the fix in a new release 02/03/2015: Disclosure #############################