Impact
Time Tracker uses browser_today hidden control on a few pages to collect the today's date from user browsers. Because of not checking this parameter for sanity in versions prior to 1.19.30.5601, it was possible to craft an html form with malicious JavaScript, use social engineering to convince logged on users to execute a POST from such form, and have the attacker-supplied JavaScript to be executed in user's browser.
Patches
Patched in version 1.19.30.5600.
Workarounds
Upgrade is recommended. If it is not practical, introduce ttValidDbDateFormatDate function as in the latest version and add a call to it within the access checks block in the following files:
expense_edit.php
expenses.php
login.php
puncher.php
time.php
time_edit.php
week.php
For example:
if ($request->isPost()) {
// Validate that browser_today parameter is in correct format.
$browser_today = $request->getParameter('browser_today');
if ($browser_today && !ttValidDbDateFormatDate($browser_today)) {
header('Location: access_denied.php');
exit();
}
}
// End of access checks.
References
More information is available at https://www.anuko.com/time-tracker/news/not-checking-browser-today-param-for-sanity.htm
For more information
If you have any questions or comments about this advisory:
indevi0us Analyst
Impact
Time Tracker uses browser_today hidden control on a few pages to collect the today's date from user browsers. Because of not checking this parameter for sanity in versions prior to 1.19.30.5601, it was possible to craft an html form with malicious JavaScript, use social engineering to convince logged on users to execute a POST from such form, and have the attacker-supplied JavaScript to be executed in user's browser.
Patches
Patched in version 1.19.30.5600.
Workarounds
Upgrade is recommended. If it is not practical, introduce ttValidDbDateFormatDate function as in the latest version and add a call to it within the access checks block in the following files:
expense_edit.php
expenses.php
login.php
puncher.php
time.php
time_edit.php
week.php
For example:
if ($request->isPost()) { // Validate that browser_today parameter is in correct format. $browser_today = $request->getParameter('browser_today'); if ($browser_today && !ttValidDbDateFormatDate($browser_today)) { header('Location: access_denied.php'); exit(); } } // End of access checks.References
More information is available at https://www.anuko.com/time-tracker/news/not-checking-browser-today-param-for-sanity.htm
For more information
If you have any questions or comments about this advisory: