header-logo
Suggest Exploit
vendor:
Timeclock software
by:
Marcela Benetrix
8,8
CVSS
HIGH
SQL Injection
89
CWE
Product Name: Timeclock software
Affected Version From: 0.995
Affected Version To: 0.995
Patch Exists: Yes
Related CWE: N/A
CPE: timeclock-software.net
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2016

Timeclock-software – Multiple SQL injections

Timeclock-software.net's free software product was vulnerable to time-based blind SQL injection type. Moreover, once logged into the app; the following URLs were found to be vulnerable too: http://server/view_data.php?period_id, http://server/edit_type.php?type_id=, http://server/edit_user.php?user_id=, http://server/edit_entry.php?time_id=, all of them were vulnerable to Union query and time-based blind.

Mitigation:

Vendor was notified on 01/27/2016 and fixed the problem in a new release.
Source

Exploit-DB raw data:

#############################
Exploit Title : Timeclock-software - Multiple SQL injections
Author:Marcela Benetrix
Date: 01/27/2016
version: 0.995 (older version may be vulnerable too)
software link:http://timeclock-software.net

#############################
Timeclock software

Timeclock-software.net's free software product will be a simple solution to
allow your employees to record their time in one central location for easy
access.

##########################
SQL Injection Location

1. http://server/login.php
username and password were vulnerable to time-based blind sql injection
type.

Moreover, once logged into the app; the following URLs were found to be
vulnerable too:

2. http://server/view_data.php?period_id
3. http://server/edit_type.php?type_id=
4. http://server/edit_user.php?user_id=
5. http://server/edit_entry.php?time_id=

All of them are vulnerable to Union query and time-based blind.


##########################
Vendor Notification
01/27/2016 to: the developers. They replied immediately and fixed the
problem in a new release
002/03/2016: Disclosure

Navigation

Suggest Exploit

Services By CQR