Impact
UNION SQL injection and time-based blind injection vulnerabilities existed in Time Tracker Puncher plugin in versions prior to 1.20.0.5642. This was happening because the Puncher plugin was reusing code from other places and was relying on not checked date parameter in POST requests. Because the parameter was not checked, it was possible to craft POST requests with malicious SQL for Time Tracker database.
Patches
Fixed in version 1.20.0.5642 with a better fix in 1.20.0.5643 when the Puncher plugin was re-coded.
Workarounds
An upgrade is highly recommended. If upgrade is not practical, introduce a check for the date parameter in the access checks portion of the puncher.php as in version 1.20.0.5642. Note that this check is no longer needed if you use an updated Puncher plugin as in version 1.20.0.5643.
References
More information about this vulnerability and a workaround is at https://www.anuko.com/time-tracker/news/union-sql-injection-in-puncher-plugin.htm
For more information
If you have any questions or comments about this advisory:
indevi0us Analyst
Impact
UNION SQL injection and time-based blind injection vulnerabilities existed in Time Tracker Puncher plugin in versions prior to 1.20.0.5642. This was happening because the Puncher plugin was reusing code from other places and was relying on not checked date parameter in POST requests. Because the parameter was not checked, it was possible to craft POST requests with malicious SQL for Time Tracker database.
Patches
Fixed in version 1.20.0.5642 with a better fix in 1.20.0.5643 when the Puncher plugin was re-coded.
Workarounds
An upgrade is highly recommended. If upgrade is not practical, introduce a check for the date parameter in the access checks portion of the puncher.php as in version 1.20.0.5642. Note that this check is no longer needed if you use an updated Puncher plugin as in version 1.20.0.5643.
References
More information about this vulnerability and a workaround is at https://www.anuko.com/time-tracker/news/union-sql-injection-in-puncher-plugin.htm
For more information
If you have any questions or comments about this advisory: