Source: security-advisories@github.com
Titra is open source project time tracking software. Prior to version 0.99.49, Titra allows any authenticated Admin user to modify the timeEntryRule in the database. The value is then passed to a NodeVM value to execute as code. Without sanitization, it leads to a Remote Code Execution. Version 0.99.49 fixes the issue.
Titra, a time tracking application, is vulnerable to Remote Code Execution (RCE). An authenticated administrator can inject malicious code into the application's database, which is then executed by the server, potentially allowing attackers to gain complete control of the system.
Step 1: Authentication: An attacker gains valid administrator credentials for the Titra application.
Step 2: Payload Injection: The attacker crafts a malicious JavaScript payload designed to execute arbitrary commands on the server. This payload is then injected into the timeEntryRule field within the application's database, typically through a web interface or API endpoint.
Step 3: Database Modification: The attacker uses their administrator privileges to modify the timeEntryRule in the database, replacing the legitimate rule with the malicious payload.
Step 4: Code Execution: When the application processes the timeEntryRule, the injected JavaScript payload is executed by the NodeVM environment. This allows the attacker to execute arbitrary commands on the server.
Step 5: Command Execution and Control: The injected code executes, potentially allowing the attacker to gain a reverse shell, exfiltrate data, or further compromise the system.
The vulnerability stems from insufficient input validation and sanitization of user-supplied data within the Titra application. Specifically, the timeEntryRule field, modifiable by authenticated administrators, is directly passed to a NodeVM instance for execution. This lack of proper sanitization allows attackers to inject arbitrary JavaScript code. The root cause is a failure to validate user input before passing it to an interpreter, leading to a code injection vulnerability. The NodeVM environment, intended for sandboxing, is bypassed due to the direct execution of unsanitized input. The flaw lies in the insecure design of allowing administrators to modify code that is then executed by the server, without proper checks or restrictions.
This vulnerability is attractive to a wide range of attackers, including those seeking initial access or persistence. It is likely to be targeted by both opportunistic and targeted attacks. It is unlikely to be on the CISA KEV list immediately, but it is a high-severity vulnerability that could be added quickly if widespread exploitation is observed.
Monitor database logs for suspicious modifications to the timeEntryRule field, especially from administrator accounts.
Analyze web server logs for unusual HTTP requests, particularly those involving modifications to time entry rules or API calls related to time tracking.
Implement file integrity monitoring to detect changes to critical application files.
Network traffic analysis: Look for unusual network connections originating from the server, especially those associated with command-and-control (C2) servers or data exfiltration.
Monitor process creation and execution for suspicious activity, such as the execution of shell commands or the creation of reverse shells.
Upgrade to Titra version 0.99.49 or later.
Implement strict input validation and sanitization for all user-supplied data, especially the timeEntryRule field. This should include whitelisting acceptable characters and formats.
Review and harden the NodeVM configuration. Consider using a more secure sandboxing environment or disabling the use of NodeVM if possible.
Implement least privilege principles, limiting the permissions of the application's database user.
Regularly audit the application's code for vulnerabilities, including code injection flaws.
Implement a Web Application Firewall (WAF) to filter malicious requests.
Monitor and log all administrator activity within the application.