NesterSoft WorkTime SQL Injection Vulnerability in Widget API Endpoint

A SQL injection vulnerability has been identified in the NesterSoft WorkTime employee monitoring software, affecting versions through 11.8.8. An authenticated attacker with minimal permissions can exploit this vulnerability in the 'widget' API endpoint to inject SQL queries. If the Firebird database backend is used, all data can be retrieved from the database. If the MSSQL backend is used, the attacker can execute arbitrary SQL statements and access sensitive data.

Impact

Exploitation of this vulnerability allows for SQL injection, with impacts varying based on the database backend. Firebird users can have all database data exposed, while MSSQL users can execute arbitrary SQL commands and access sensitive information, with the possibility of executing OS commands depending on the database user and configuration.

Reproduction

To reproduce this vulnerability, an authenticated user with minimal permissions can send a POST request to the '/api/widget' endpoint. The request must include a valid token and can inject SQL through the 'employee', 'computer', or 'department' parameters. If the Firebird backend is used, the injection can be exploited with sqlmap. For MSSQL, the injection can be exploited to execute arbitrary SQL commands and potentially OS commands, depending on the database user's privileges.