UNION SQL Injection in Puncher Plugin

CVE-2022-24707.

UNION SQL injection and time-based blind injection vulnerabilities existed in Time Tracker Puncher plugin in versions prior to 1.20.0.5642. This was happening because the Puncher plugin was reusing code from other places and was relying on not checked date parameter in POST requests. Because the parameter was not checked, it was possible to craft POST requests with malicious SQL for Time Tracker database.

Patches

Fixed in version 1.20.0.5642 with a better fix in 1.20.0.5643 when the Puncher plugin was re-coded.

Workarounds

An upgrade is highly recommended. If upgrade is not practical, introduce a check for the date parameter in the access checks portion of the puncher.php as in version 1.20.0.5642. Note that this check is no longer needed if you use an updated Puncher plugin as in version 1.20.0.5643.

Here is how this check may look like:

// Access checks.
// If we are passed in a date, make sure it is in correct format.
$date = $request->getParameter('date');
if ($date && !ttValidDbDateFormatDate($date)) {
  header('Location: access_denied.php');
  exit();
}
// End of access checks.

Puncher Plugin Updated

Puncher plugin was re-written in version 1.20.0.5643. If you use an updated version, the workaround above is no longer required, because the date parameter is no longer used in the plugin.

If you need help with upgrading or migrating your system you can order paid support. We can also host Time Tracker for your organization on our servers. If you have any questions feel free to contact us.