Impact
Time-based blind SQL injection vulnerability existed in Time Tracker reports in versions prior to 1.22.13.5792. This was happening because the reports.php page was not validating all parameters in POST requests. Because some parameters were not checked, it was possible to craft a POST request with malicious SQL for Time Tracker database.
Patches
Fixed in version 1.22.13.5792.
Workarounds
Upgrade is highly recommended. If it is not practical, use fixed code in ttReportHelper.class.php from version 1.22.13.5792.
References
More information is available on Anuko website at https://www.anuko.com/time-tracker/news/time-based-blind-sql-injection-in-reports.htm
Impact
Time-based blind SQL injection vulnerability existed in Time Tracker reports in versions prior to 1.22.13.5792. This was happening because the reports.php page was not validating all parameters in POST requests. Because some parameters were not checked, it was possible to craft a POST request with malicious SQL for Time Tracker database.
Patches
Fixed in version 1.22.13.5792.
Workarounds
Upgrade is highly recommended. If it is not practical, use fixed code in ttReportHelper.class.php from version 1.22.13.5792.
References
More information is available on Anuko website at https://www.anuko.com/time-tracker/news/time-based-blind-sql-injection-in-reports.htm