NovaCHRON Smart Time Plus SQL Injection Vulnerability Allowing Unauthenticated Database Manipulation

A SQL injection vulnerability has been identified in NovaCHRON Smart Time Plus versions 8.x prior to 8.6. The issue arises in the 'addProject' method within the 'smarttimeplus/MySQLConnection' endpoint, allowing for unauthenticated insertion of data into the database. This vulnerability can be exploited to create new admin users, bypassing authentication entirely.

Impact

Exploitation of this vulnerability allows for unauthorized SQL injection, enabling attackers to manipulate the database and potentially escalate privileges by creating admin users.

Reproduction

The vulnerability can be reproduced by sending a POST request to the 'smarttimeplus/MySQLConnection' endpoint. The 'addProject' method can be invoked without any authentication, using GWT (Google Web Toolkit) syntax to exploit the SQL injection. Once the injection is successful, it is possible to insert data into the database, such as creating a new admin user.

Remediation

Users are advised to update to NovaCHRON Smart Time Plus version 8.6 or later, as this version addresses the SQL injection vulnerabilities. Ensure that the MySQL server is also secured with a password.