Recent changes to bugs

#18 SQLI/stored XSS vulnerabilities

ac — Tue, 07 May 2024 12:32:48 -0000

we further found request race vulnerabilities in version 1.0.4 of the application. Please contact us at ca224test@gmail.com, so we can provide reproducing steps of the vulnerabilities.

SQLI/stored XSS vulnerabilities

ac — Sun, 04 Dec 2022 19:47:52 -0000

To the developers,

In the progress of our security research project, we found SQLI/stored XSS vulnerabilities in version 1.0.4 of the application. SQLI Related files: groupadmin.php, officeadmin.php. stored XSS related files: display.php, leftmain.php, timeedit.php

Please contact us at ca224test@gmail.com, so we can provide reproducing steps of the vulnerabilities.
Thank you.

SQL Injection and Cross Site Scripting Vulnerabilities

Tyler Butler — Sat, 08 May 2021 12:52:34 -0000

PHP Timeclock versions 1.04 and prior suffer from serious security vulnerabilities including SQL injection and Cross Site Scripting. This goes without saying but do not use this product anymore in 2021. You can read more about the vulnerabilities here https://github.com/tcbutler320/PHP-Timeclock-1.04-XSS-SQLI or on exploit-db here https://www.exploit-db.com/exploits/49849.

SQL Injection and Cross Site Scripting

Tyler Butler — Sat, 08 May 2021 12:51:04 -0000

1.06 not listed/uploaded to sf.net??

Zeb Cameron — Wed, 15 May 2013 09:15:08 -0000

new version not released yet to sf.net??? 1.06 out right??

PHP 4 & 5 running at same time...

Ernest Buffington — Sun, 16 Mar 2008 05:00:20 -0000

adminuser.php and searchuser.php in the admin area have a display problem in the current zip release. I was able to fix the problems myself but you might want to have a look.

Note: I am running PHP4 and 5 at the same time... not many folks have a need to do this, I'm a developer so I have a use for both.

Why?
A lot of appz do not run right under the improved 5 object environment.

Other than those 2 files everything seems to be pretty tight, great work!

PHP TImeclock Page not Loading Properly...

Adrian Anhood — Wed, 15 Aug 2007 20:38:52 -0000

I have as many as 50 people access this PHP Timeclock system. We have had a reoccurring problem of where the software does not load consistently.

Page comes up either:
1) Blank with a white page.
2) With some type of configuration screen that shows a menu with Apple Talk, NetBeui, NetWare, SNTP, TCP/IP, etc.
3) A timeout.

I have restarted the server, as well as restarted the httpd service. I am unable to determine what is causing this so erratically.

We have timeclock.mydomain.com as a virtual server pointing to the PHP directory.

The system is a CentOS 5.0 server with all updates. RPM packages version are as follows:

httpd-2.2.3-7.el5.centos

mysql-5.0.22-2.1
mysql-server-5.0.22-2.1

php-mysql-5.1.6-12.el5
php-5.1.6-12.el5
php-common-5.1.6-12.el5
php-cli-5.1.6-12.el5
php-mbstring-5.1.6-12.el5
php-ldap-5.1.6-12.el5

Edit Page - Wrong Timestamp Range

Ryan Williams — Thu, 17 May 2007 23:42:10 -0000

timeedit.php is only selecting punchitems up unitl 2pm on the day i select.

Add & Delete work fine, its just Edit that doesn't work

I'm using 24 hour time format, GMT +10 timezone and euro calendar.

Possible Race Condition

Ben — Fri, 04 May 2007 20:58:53 -0000

leftmain.php line 360 begins s sequence of calls to gmdate. there exists a slight possibility for an error of one hour. (other errors are possible, but not of as great of concern for me :-) )

consider the following at 4:59:59.65 I punch out.
at 4:59:59.99 the line $hour = gmdate('H'); is executed.
at 5:00:00.00 the line $min = gmdate('i'); is executed.
the recorded punch will read 4:00.

why not use time()? acording to the php manual http://us2.php.net/manual/en/function.time.php this is also GMT.

Timeclock mis-handles future time entries

Tom Scrape — Fri, 09 Mar 2007 21:58:28 -0000

Timeclock 1.03 errs when future time has been entered.

I entered time for tomorrow (in and out) before having clocked out for today. The Out time for tomorrow shows up as the current status on the home page, and both In and Out show up in Edit Time for today's date (as well as where it should be on tomorrow's date).

Clocking out for today set the current Out status appropriately (Out for today with the correct Out time).

Deleting tomorrow's Out (and leaving the In), however, does not set the current status to In with tomorrow's In time. This, of course, should be expected.

Furthermore, deleting the last Out for today (the one just entered), thus leaving only an In, removes the user's status completely from the home page - even though one of the Ins should be the current status. The time must be modified for the user to appear again.

Apologies if this is confusing as I've just found it out and haven't tried to discover the source error. If someone else can confirm similar behavior on their installation, I'd appreciate it.

Let me know if further details are necessary.