Re: TimeTrex Time and Attendance Cookie Theft
This issue only affects TimeTrex v2.2.12 and older.
TimeTrex v2.2.13 and newer are patched, the latest version can be
downloaded from:
http://www.timetrex.com/
or
http://sourceforge.net/project/showfiles.php?group_id=174864&package_id=200595
Thanks.
On 21 Aug 2008 16:50:07 -0000
DoZ@xxxxxxxxxxxxxxxxx wrote:
> [HSC] TimeTrex Time and Attendance Cookie Theft
>
>
> TimeTrex allows companies to track and monitor employee attendance
> accurately in real-time from anywhere
>
> in the world. An attacker may leverage these issues to execute
> arbitrary script code in the browser of
>
> an unsuspecting user in the context of the affected site. Attacker
> can tricks the user's computer into
>
> running code which is treated as trustworthy because it appears to
> belong to the server, allowing the
>
> attacker to obtain a copy of the cookie or perform other operations.
>
>
>
> Hackers Center Security Group (http://www.hackerscenter.com)
> Credit: Doz
>
> Class: Cross Site Scripting
> Remote: Yes
>
> Product: TimeTrex
> Vendor: http://www.timetrex.com
> Version: N/A
>
>
> Attackers can exploit these issues via a web client.
>
>
> http://site.com/interface/Login.php?user_name=admin&password=XSS
> http://site.com/interface/Login.php?user_name=XSS
>
>
>
>
> Google Dork: TimeTrex Time and Attendance - Secure Login
>
> Reference:
>
> http://www.hackerscenter.com/index.php?/HSC-Research-Group/Advisories/HSC-TimeTrex-Time-and-Attendance-Cookie-Theft.html
--
Mike (ipso@xxxxxxxxxxxxx)