Forum

CVE-2021-41156.

Time Tracker uses browser_today hidden control on a few pages to collect the today's date from user browsers. Because of not checking this parameter for sanity in versions prior to 1.19.30.5601, it was possible to craft an html form with malicious JavaScript, use social engineering to convince logged on users to execute a POST from such form, and have the attacker-supplied JavaScript to be executed in user's browser.

Patches

Affected versions: Time Tracker 1.19.30.5600 and prior. Patched in version 1.19.30.5601.

Workarounds

Upgrade is recommended. If it is not practical, introduce ttValidDbDateFormatDate function as in the latest version and add a call to it within the access checks block in the following files:

expense_edit.php
expenses.php
login.php
puncher.php
time.php
time_edit.php
week.php

For example:

if ($request->isPost()) {
  // Validate that browser_today parameter is in correct format.
  $browser_today = $request->getParameter('browser_today');
  if ($browser_today && !ttValidDbDateFormatDate($browser_today)) {
    header('Location: access_denied.php');
    exit();
  }
}
// End of access checks.

Here is how the ttValidDbDateFormatDate function looks at the time of this writing:

// ttValidDbDateFormatDate is used to check user input to validate a date in DB_DATEFORMAT.
function ttValidDbDateFormatDate($val)
{
  $val = trim($val);
  if (strlen($val) == 0)
    return false;

  // This should validate a string in format 'YYYY-MM-DD'.
  if (!preg_match('/^\d\d\d\d-\d\d-\d\d$/', $val))
    return false;

  return true;
}

If you need help with upgrading or migrating your system you can order paid support. We can also host Time Tracker for your organization on our servers. If you have any questions feel free to contact us.