Home Contact Buy
Sitemap Contact
Home Time Tracker Consulting Download Video Free Buy Sitemap Contact

Forum

Is TaskBar still broken?

Cannot Add New Clock or Change City Window 11

[SOLVED] Forgot Password -> Error 500

[SOLVED] Unable to send mail

installation problem : MDB2 Error: unknown error

the "actual" time of arrival & departure

work permit request

Time Tracker UPGRADE INSTRUCTIONS

News

11 May 2023
CVE-2023-32306 - Time-based blind SQL injection in reports
8 May 2023
CVE-2023-32066 - Stored XSS vulnerability in Week View
8 May 2023
CVE-2023-32308 - SQL injection vulnerability in Invoices
24 Feb 2023
Hide and show desktop clocks with a shortcut key
5 Feb 2023
World Clock desktop templates for forex
4 Feb 2023
World Clock desktop templates for GMT
6 Nov 2022
Charts for Favorite Reports
27 Oct 2022
Time Tracker 1.22 Released

Cross Site Request Forgery Vulnerability

CVE-2021-29436.

Cross site request forgery (CSRF) vulnerability existed in Time Tracker versions below 1.19.27.5431. The nature of CSRF is that a logged on user may be tricked by social engineering to click on an attacker-provided form that executes an unintended action such as changing user password.

Patches

Affected versions: Time Tracker 1.19.27.5430 and prior. Patched in version 1.19.27.5431.

Workarounds

Upgrade is recommended. If upgrade is not practical, introduce ttMitigateCSRF() function in /WEB-INF/lib/common.php.lib using the latest available code and call it from ttAccessAllowed().

ttMitigateCSRF function code at the time of this writing:
// ttMitigateCSRF verifies request headers in an attempt to block cross site request forgery.
function ttMitigateCSRF() {
  // No need to do anything for get requests.
  global $request;
  if ($request->isGet())
    return true;

  $origin = $_SERVER['HTTP_ORIGIN'];
  if ($origin) {
    $pos = strpos($origin, '//');
    $origin = substr($origin, $pos+2); // Strip protocol.
  }
  if (!$origin) {
    // Try using referer.
    $origin = $_SERVER['HTTP_REFERER'];
    if ($origin) {
      $pos = strpos($origin, '//');
      $origin = substr($origin, $pos+2); // Strip protocol.
      $pos = strpos($origin, '/');
      $origin = substr($origin, 0, $pos); // Leave host only.
    }
  }
  $target = defined('HTTP_TARGET') ? HTTP_TARGET : $_SERVER['HTTP_HOST'];
  if (strcmp($origin, $target)) {
    error_log("Potential cross site request forgery. Origin: '$origin' does not match target: '$target'.");
    return false; // Origin and target do not match.
  }

  return true;
}

Here is how a call to ttMitigateCSRF looks in ttAccessAllowed function.
// ttAccessAllowed checks whether user is allowed access to a particular page.
// It is used as an initial check on all publicly available pages
// (except login.php, register.php, and others where we don't have to check).
function ttAccessAllowed($required_right)
{
  global $auth;
  global $user;

  // Redirect to login page if user is not authenticated.
  if (!$auth->isAuthenticated()) {
    header('Location: login.php');
    exit();
  }

  // Protection against cross site request forgery.
  if (!ttMitigateCSRF())
    return false;
...

If you need help with upgrading or migrating your system you can order paid support. We can also host Time Tracker for your organization on our servers. If you have any questions feel free to contact us.

Home Download Video Free Buy Legal Sitemap Contact
Login
Hosting and content management by Anuko