TTS Software Time Tracking Software Edituser.PHP访问验证漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1109782 漏洞类型 访问验证错误
发布时间 2006-02-20 更新时间 2006-02-20
CVE编号 CVE-2006-0691 CNNVD-ID CNNVD-200602-223
漏洞平台 PHP CVSS评分 5.0
|漏洞来源
https://www.exploit-db.com/exploits/27250
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200602-223
|漏洞详情
TTSTimeTrackingSoftware3.0的edituser.php不验证用户名和密码是否正确,从而使得远程攻击者可以覆盖属于任意帐号的任意数据。
|漏洞EXP
source: http://www.securityfocus.com/bid/16731/info

Time Tracking Software is prone to an access-validation vulnerability. This issue is due the application's failure to limit access to administrative sections of the application. 

An attacker can exploit this vulnerability to modify user data in the context of the application. This may result in a loss of confidentiality. The attacker may use this information in further attacks. 

This issue is reported to affect Time Tracking Software version 3.0; other versions may also be vulnerable.

http://www.example.com/timetracking/edituser.php? num=[userid]
|参考资料

来源:XF
名称:timetracking-edituser-auth-bypass(24570)
链接:http://xforce.iss.net/xforce/xfdb/24570
来源:MISC
链接:http://www.evuln.com/vulns/69/summary.html
来源:BID
名称:16731
链接:http://www.securityfocus.com/bid/16731
来源:BID
名称:16630
链接:http://www.securityfocus.com/bid/16630
来源:BUGTRAQ
名称:20060219[eVuln]TimeTrackingSoftwareMultipleVulnerabilities
链接:http://www.securityfocus.com/archive/1/archive/1/425505/100/0/threaded
来源:VUPEN
名称:ADV-2006-0524
链接:http://www.frsirt.com/english/advisories/2006/0524
来源:SECUNIA
名称:18854
链接:http://secunia.com/advisories/18854