Research and Development


Timesheet 1.2.1 Blind SQL Injection Vulnerability


Timesheet.php is a PHP application designed to keep track of
the hours worked by multiple people on multiple projects. It
allows users to log in through their web browser and manage
the times that they are clocked on or clocked off.


A vulnerability can be found on the file login.php on
$_POST['username'] variable. When magic_quotes_gpc is set to Off
an intruder can trigger a blind sql injection.


1. Disclosure of administrator username and password
hash (MD5, PASSWORD) credentials.
2. Remote code execution in case the intruder knows where
to save the output of the sql injection on the local path.


Create addslashes function that will filter the $_POST and
$_GET variables.

dwayner79 at
vexil at

Time table:

Notified: 09/04/2006
Response: No Response
Public disclosure: 09/05/2006
Updates: N/A


Research By: Secaware Research
Research Site:
Research Mail: secaware2006 at yahoo dot com



Listing of Secaware Research Output for selected Vulnerable Open Source Web Application

Web Application Vulnerabilities are the following:

1. Arbitrary Local File Inclusion Vulnerability
2. Arbitrary Local File Retrieval Vulnerability
3. Remote File Inclusion Vulnerability
4. Remote Code Execution Vulnerability
5. Remote SQL Injection Vulnerability
6. Remote Blind SQL Injection Vulnerability
7. XSS Cross-site Scripting Vulnerability