Home Contact Buy
Sitemap Contact
Home Download Video Free Buy Sitemap Contact

Forum

Secure authentication using Active Directory

Problems with external Database

Display Custom Fields on Profile Page

Desktop clock disappeared...

Blank Page Problem

Database connection error

upgrade from 1.36 to 1.19

echo custom field in table on 'time' page?

News

1 Mar 2021
Time Tracker Security Advisory
26 Sep 2020
Ongoing work on Time Tracker UI changes
4 Aug 2018
World Clock 6.1 released
2 Apr 2016
Time Tracker - Locking plugin with cron spec
1 Dec 2013
Use custom time format in time converter
19 Jun 2013
How to create a database for Time Tracker
5 Jun 2013
How to change color of a displayed clock
2 Jun 2013
How to display date in World Clock on a separate line

Time Tracker Security Advisory

This post summarizes a recent critical security fix in Anuko Time Tracker software product.

Predictable Tokens Used for Password Resets

Time Tracker has a mechanism to reset forgotten passwords. It utilizes random tokens that are sent to users, which form a unique URL to change user password. In versions 1.19.24.5414 and prior these tokens were based on system time and then md5-hashed. Because they were based on system time, one could use a brute-force attack to guess a correct token. Once successful, an attacker can change user password, including that of a system administrator. The PHP code used to create tokens is below.

$temp_ref = md5(uniqid());
Above, the uniqid() call obtains a hexadecimal representation of a system time with microsecond precision. For example, we can use this code to quickly produce 2 results:

<?php
echo uniqid();
echo "\n";
echo uniqid();
echo "\n";
Which may get us something like the following:

603c0759424e5
603c075942501
The first 8 hex digits in these results represent seconds. The last 5 represent microseconds. But because we made 2 calls one after another, the seconds match exactly, and microseconds differ only slightly. This provides the attacker with an apportunity to request a token at a known time (seconds) and then use brute-force to guess the microseconds part.

Bug Fixed in Version 1.19.24.5415

Affected versions: 1.19.24.5414 and prior.
Patched in version 1.19.24.5415 (started to use more secure tokens) with an additional improvement in 1.19.24.5416 (limited an available window for brute force token guessing).

Workaround

Upgrade to the latest version is recommended. If you need help with upgrading or migrating your system you can order paid support. If upgrade is not practical, use the folowing workaround. Replace the following line #49 in password_reset.php (located in the root of Time Tracker source code).
$temp_ref = md5(uniqid());
with the following 4 lines of code:
$cryptographically_strong = true;
$random_bytes = openssl_random_pseudo_bytes(16, $cryptographically_strong);
if ($random_bytes === false) die ("openssl_random_pseudo_bytes function call failed...");
$temp_ref = bin2hex($random_bytes);
We can also host Time Tracker for your organization on our servers. If you have any questions feel free to contact us.

Home Download Video Free Buy Legal Sitemap Contact
Login
Hosting and content management by Anuko