New eVuln Advisory: Time Tracking Software Multiple Vulnerabilities http://evuln.com/vulns/69/summary.html --------------------Summary---------------- eVuln ID: EV0069 CVE: CVE-2006-0689 CVE-2006-0690 CVE-2006-0691 Vendor: TTS Software Software: Time Tracking Software Sowtware's Web Site: http://schedulingmanagement.com/download-time-tracking-software-now.php Versions: 3.0 Critical Level: Moderate Type: Multiple Vulnerabilities Class: Remote Status: Unpatched. No reply from developer(s) Exploit: Available Solution: Not Available Discovered by: Aliaksandr Hartsuyeu (eVuln.com) -----------------Description--------------- 1. Unauthorized data modification is possible. Script edituser.php dont checks name and password and allows to modify data of any user. 2. Multiple SQL Injections Most of user defined data isn't properly sanitized. This can be used to bypass authentication or make any SQL query by injecting arbitrary SQL code. 3. Cross-Site Scripting UserName value in Registration Form is not properly sanitized. This can be used to insert arbitrary HTML or JavaScript code. --------------Exploit---------------------- Available at: http://evuln.com/vulns/69/exploit.html --------------Solution--------------------- No Patch available. --------------Credit----------------------- Discovered by: Aliaksandr Hartsuyeu (eVuln.com) Regards, Aliaksandr Hartsuyeu http://evuln.com - Penetration Testing Services .
