PHP Timeclock Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in PHP Timeclock version 1.04. This vulnerability allows unauthenticated attackers to inject arbitrary JavaScript by manipulating URL paths and POST parameters. The affected endpoints include login.php, timeclock.php, audit.php, and timerpt.php. Additionally, the from_date and to_date parameters in report requests can be exploited to execute scripts in user browsers.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where injected scripts are executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, navigate to a site using PHP Timeclock 1.04 or earlier. For reflected XSS via GET requests, append a payload to the URL of one of the vulnerable endpoints. For reflected XSS via POST requests, intercept a report request using a proxy tool like BurpSuite and inject a payload into the from_date or to_date fields.