CVE-2021-47966

Vulnerability

Overview

PHP Timeclock 1.04, a web-based time tracking system [1], is vulnerable to blind SQL injection in the login_userid parameter of login.php. The application fails to sanitize user input before incorporating it into SQL queries, allowing attackers to inject malicious SQL code. Both time-based and boolean-based blind techniques are possible, using SLEEP functions or RLIKE conditional statements, respectively [2][4].

Exploitation

Details

The vulnerability is unauthenticated; an attacker can send a crafted POST request to the login page without needing any prior access. The injection point is the login_userid parameter, which is processed regardless of whether the login attempt succeeds. Tools like SQLmap can automate exploitation, requiring only the target URL and the parameter to test [2]. No special network position is needed, as the attack is performed over HTTP.

Impact

Successful exploitation allows an attacker to extract sensitive database contents, including employee names, passwords, and other credentials stored in the application's database. The blind nature of the injection means data can be retrieved character by character, but the process is efficient with automation. Given the CVSS score of 8.2, the confidentiality impact is high, while integrity and availability impacts are limited [4].

Mitigation

Status

As of the latest version (1.04), no patch has been released by the vendor, and the project appears to be unmaintained (last update in 2006) [1]. Users are advised to discontinue use of PHP Timeclock or implement web application firewall (WAF) rules to block SQL injection patterns. The vulnerability is listed on Exploit-DB, increasing the risk of active exploitation [2].