Home Contact Buy
Sitemap Contact
Home Time Tracker Consulting Download Video Free Buy Sitemap Contact

Forum

Is TaskBar still broken?

Cannot Add New Clock or Change City Window 11

[SOLVED] Forgot Password -> Error 500

[SOLVED] Unable to send mail

installation problem : MDB2 Error: unknown error

the "actual" time of arrival & departure

work permit request

Time Tracker UPGRADE INSTRUCTIONS

News

11 May 2023
CVE-2023-32306 - Time-based blind SQL injection in reports
8 May 2023
CVE-2023-32066 - Stored XSS vulnerability in Week View
8 May 2023
CVE-2023-32308 - SQL injection vulnerability in Invoices
24 Feb 2023
Hide and show desktop clocks with a shortcut key
5 Feb 2023
World Clock desktop templates for forex
4 Feb 2023
World Clock desktop templates for GMT
6 Nov 2022
Charts for Favorite Reports
27 Oct 2022
Time Tracker 1.22 Released

SQL Injection Vulnerability in Multiple Files

CVE-2021-43851.

SQL injection vulnerability existed in multiple files in Time Tracker version 1.19.33.5606 and prior due to not properly checking of the group and status parameters in POST requests. Group parameter is posted along when navigating between organizational subgroups (groups.php file). Status parameter is used in multiple files to change a status of an entity such as making a project, task, or user inactive.

Patches

Affected versions: Time Tracker 1.19.33.5606 and prior. Patched in version 1.19.33.5607.

Workarounds

Upgrade is highly recommended. If upgrade is not practical, introduce ttValidStatus function as in the latest version and start using it user input check blocks wherever status field is used. For groups.php fix, introduce ttValidInteger function as in the latest version and use it in the access check block in the file.

Here is how ttValidStatus function looks at the time of this writing:
// ttValidStatus is used to check user input to validate a status value.
function ttValidStatus($val)
{
  if (null == $val)
    return true;

  if (!ttValidInteger($val))
    return false;

  $intVal = (int) $val; // Cast to int for comparisons below to work.
  if ($intVal != ACTIVE && $intVal != INACTIVE)
    return false;

  return true;
}

Below is code for ttValidInteger:
// ttValidInteger is used to check user input to validate an integer.
function ttValidInteger($val, $emptyValid = false)
{
  $val = trim($val);
  if (strlen($val) == 0)
    return ($emptyValid ? true : false);
    
  if (!preg_match('/^[0-9]+$/', $val))
    return false;

  return true;
}

Access checks block in groups.php file:
// Access checks.
if (!ttAccessAllowed('manage_subgroups')) {
  header('Location: access_denied.php');
  exit();
}
if ($request->isPost()) {
  $group_id = $request->getParameter('group');
  if (!ttValidInteger($group_id)) {
    header('Location: access_denied.php'); // Protection against sql injection.
    exit();
  }
  if (!$user->isGroupValid($group_id)) {
    header('Location: access_denied.php'); // Wrong group id in post.
    exit();
  }
}
// End of access checks.

Finally, an example of checking status parameter in user input validation blocks:
if ($request->isPost()) {
  // Validate user input.
  if (!ttValidString($cl_name)) $err->add($i18n->get('error.field'), $i18n->get('label.thing_name'));
  if (!ttValidString($cl_description, true)) $err->add($i18n->get('error.field'), $i18n->get('label.description'));
  if (!ttValidStatus($cl_status)) $err->add($i18n->get('error.field'), $i18n->get('label.status'));
...

If you need help with upgrading or migrating your system you can order paid support. We can also host Time Tracker for your organization on our servers. If you have any questions feel free to contact us.

Home Download Video Free Buy Legal Sitemap Contact
Login
Hosting and content management by Anuko