timetrex-xss.txt

2008-08-22T00:00:00
ID PACKETSTORM:69304
Type packetstorm
Reporter DoZ
Modified 2008-08-22T00:00:00

Description

                                        
                                            `[HSC] TimeTrex Time and Attendance Cookie Theft  
  
  
TimeTrex allows companies to track and monitor employee attendance  
accurately in real-time from anywhere  
  
in the world. An attacker may leverage these issues to execute arbitrary  
script code in the browser of  
  
an unsuspecting user in the context of the affected site. Attacker can  
tricks the user's computer into  
  
running code which is treated as trustworthy because it appears to belong to  
the server, allowing the  
  
attacker to obtain a copy of the cookie or perform other operations.  
  
  
  
Hackers Center Security Group (http://www.hackerscenter.com)  
Credit: Doz  
  
Class: Cross Site Scripting  
Remote: Yes  
  
Product: TimeTrex  
Vendor: http://www.timetrex.com  
Version: N/A  
  
  
Attackers can exploit these issues via a web client.  
  
  
http://site.com/interface/Login.php?user_name=admin&password=XSS  
http://site.com/interface/Login.php?user_name=XSS  
  
  
  
  
  
Google Dork: TimeTrex Time and Attendance - Secure Login  
`