TimeTrex Time and Attendance Module Multiple Cross-Site Scripting Vulnerabilities
BID:30789
Info
TimeTrex Time and Attendance Module Multiple Cross-Site Scripting Vulnerabilities
| Bugtraq ID: | 30789 |
| Class: | Input Validation Error |
| CVE: |
CVE-2008-4742 |
| Remote: | Yes |
| Local: | No |
| Published: | Aug 21 2008 12:00AM |
| Updated: | May 07 2015 05:24PM |
| Credit: | Doz |
| Vulnerable: |
TimeTrex TimeTrex 2.2.12 TimeTrex TimeTrex 2.2.11 |
| Not Vulnerable: |
TimeTrex TimeTrex 2.2.13 |
Discussion
TimeTrex Time and Attendance Module Multiple Cross-Site Scripting Vulnerabilities
TimeTrex is prone to multiple cross-site scripting vulnerabilities because the application fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
TimeTrex versions 2.2.12 and previous are vulnerable.
TimeTrex is prone to multiple cross-site scripting vulnerabilities because the application fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
TimeTrex versions 2.2.12 and previous are vulnerable.
Exploit / POC
TimeTrex Time and Attendance Module Multiple Cross-Site Scripting Vulnerabilities
An attacker can exploit these issues by tricking an unsuspecting user into following a malicious link.
The following example URIs are provided:
http://www.example.com/interface/Login.php?user_name=admin&password=XSS
http://www.example.com/interface/Login.php?user_name=XSS
An attacker can exploit these issues by tricking an unsuspecting user into following a malicious link.
The following example URIs are provided:
http://www.example.com/interface/Login.php?user_name=admin&password=XSS
http://www.example.com/interface/Login.php?user_name=XSS
Solution / Fix
TimeTrex Time and Attendance Module Multiple Cross-Site Scripting Vulnerabilities
Solution:
The vendor released version 2.2.13 to address this issue. Please see the references for more information.
TimeTrex TimeTrex 2.2.11
TimeTrex TimeTrex 2.2.12
Solution:
The vendor released version 2.2.13 to address this issue. Please see the references for more information.
TimeTrex TimeTrex 2.2.11
-
TimeTrex TimeTrex_Standard_Edition_v2.2.13.zip
http://downloads.sourceforge.net/timetrex/TimeTrex_Standard_Edition_v2 .2.13.zip?modtime=1219419973&big_mirror=0
TimeTrex TimeTrex 2.2.12
-
TimeTrex TimeTrex_Standard_Edition_v2.2.13.zip
http://downloads.sourceforge.net/timetrex/TimeTrex_Standard_Edition_v2 .2.13.zip?modtime=1219419973&big_mirror=0
References
TimeTrex Time and Attendance Module Multiple Cross-Site Scripting Vulnerabilities
References:
References:
- Release Name: v2.2.13 (TimeTrex)
- TimeTrex Hompage (TimeTrex)
- Re: TimeTrex Time and Attendance Cookie Theft (Mike
- TimeTrex Time and Attendance Cookie Theft ([email protected] )