Impact
SQL injection vulnerability existed in multiple files in Time Tracker version 1.19.33.5606 and prior due to not properly checking of the "group" and "status" parameters in POST requests. Group parameter is posted along when navigating between organizational subgroups (groups.php file). Status parameter is used in multiple files to change a status of an entity such as making a project, task, or user inactive.
Patches
Patched in version 1.19.33.5607.
Workarounds
Upgrade is highly recommended. If upgrade is not practical, introduce ttValidStatus function as in the latest version and start using it user input check blocks wherever status field is used. For groups.php fix, introduce ttValidInteger function as in the latest version and use it in the access check block in the file.
References
More information about this vulnerability and workarounds is at https://www.anuko.com/time-tracker/news/sql-injection-vulnerability-in-multiple-files.htm
For more information
If you have any questions or comments about this advisory:
indevi0us Analyst
Impact
SQL injection vulnerability existed in multiple files in Time Tracker version 1.19.33.5606 and prior due to not properly checking of the "group" and "status" parameters in POST requests. Group parameter is posted along when navigating between organizational subgroups (groups.php file). Status parameter is used in multiple files to change a status of an entity such as making a project, task, or user inactive.
Patches
Patched in version 1.19.33.5607.
Workarounds
Upgrade is highly recommended. If upgrade is not practical, introduce ttValidStatus function as in the latest version and start using it user input check blocks wherever status field is used. For groups.php fix, introduce ttValidInteger function as in the latest version and use it in the access check block in the file.
References
More information about this vulnerability and workarounds is at https://www.anuko.com/time-tracker/news/sql-injection-vulnerability-in-multiple-files.htm
For more information
If you have any questions or comments about this advisory: