Home Contact Buy
Sitemap Contact
Home Download Video Free Buy Sitemap Contact

Time Tracker Security Advisory

This post summarizes a recent critical security fix in Anuko Time Tracker software product.

Predictable Tokens Used for Password Resets

Time Tracker has a mechanism to reset forgotten passwords. It utilizes random tokens that are sent to users, which form a unique URL to change user password. In versions 1.19.24.5414 and prior these tokens were based on system time and then md5-hashed. Because they were based on system time, one could use a brute-force attack to guess a correct token. Once successful, an attacker can change user password, including that of a system administrator. The PHP code used to create tokens is below.

$temp_ref = md5(uniqid());
Above, the uniqid() call obtains a hexadecimal representation of a system time with microsecond precision. For example, we can use this code to quickly produce 2 results:

<?php
echo uniqid();
echo "\n";
echo uniqid();
echo "\n";
Which may get us something like the following:

603c0759424e5
603c075942501
The first 8 hex digits in these results represent seconds. The last 5 represent microseconds. But because we made 2 calls one after another, the seconds match exactly, and microseconds differ only slightly. This provides the attacker with an apportunity to request a token at a known time (seconds) and then use brute-force to guess the microseconds part.

Bug Fixed in Version 1.19.24.5415

Affected versions: 1.19.24.5414 and prior.
Patched in version 1.19.24.5415 (started to use more secure tokens) with an additional improvement in 1.19.24.5416 (limited an available window for brute force token guessing).

Workaround

Upgrade to the latest version is recommended. If you need help with upgrading or migrating your system you can order paid support. If upgrade is not practical, use the folowing workaround. Replace the following line #49 in password_reset.php (located in the root of Time Tracker source code).
$temp_ref = md5(uniqid());
with the following 4 lines of code:
$cryptographically_strong = true;
$random_bytes = openssl_random_pseudo_bytes(16, $cryptographically_strong);
if ($random_bytes === false) die ("openssl_random_pseudo_bytes function call failed...");
$temp_ref = bin2hex($random_bytes);
We can also host Time Tracker for your organization on our servers. If you have any questions feel free to contact us.