CVE-2021-47967 Overview
CVE-2021-47967 affects PHP Timeclock 1.04, an open-source time tracking application distributed through SourceForge. The application contains multiple reflected cross-site scripting (XSS) vulnerabilities [CWE-79] across several core endpoints. Unauthenticated attackers can inject arbitrary JavaScript by appending payloads to URL paths targeting login.php, timeclock.php, audit.php, and timerpt.php. Attackers can also inject scripts through the from_date and to_date POST parameters in report generation requests. Successful exploitation executes attacker-controlled JavaScript in the victim's browser session, enabling session theft, credential harvesting, and unauthorized actions performed on behalf of authenticated users.
Critical Impact
Unauthenticated attackers can execute arbitrary JavaScript in victim browsers by tricking users into visiting crafted URLs targeting PHP Timeclock 1.04 endpoints.
Affected Products
- PHP Timeclock 1.04
- Endpoints: login.php, timeclock.php, audit.php, timerpt.php
- Report parameters: from_date, to_date
Discovery Timeline
- 2026-05-15 - CVE-2021-47967 published to NVD
- 2026-05-18 - Last updated in NVD database
Technical Details for CVE-2021-47967
Vulnerability Analysis
The vulnerability stems from improper neutralization of user-supplied input before reflection in HTTP responses [CWE-79]. PHP Timeclock 1.04 echoes URL path components and POST parameters directly into rendered HTML without applying contextual output encoding. Attackers craft URLs that append JavaScript payloads to vulnerable endpoint paths or submit malicious values through the from_date and to_date parameters in report requests. The server returns the injected content as part of the response page, where the browser parses and executes it within the application's origin.
Because no authentication is required to reach the vulnerable endpoints, attackers can deliver payloads through phishing emails, malicious links on third-party sites, or compromised advertising. The XSS context allows execution of arbitrary client-side script in the browser of any user who visits the crafted URL.
Root Cause
The application fails to sanitize or HTML-encode input reflected from request URIs and POST bodies. PHP code paths handling login.php, timeclock.php, audit.php, and timerpt.php concatenate request data into HTML output without escaping characters such as <, >, ", and '. The from_date and to_date parameters used in timerpt.php for report generation are similarly reflected without validation against expected date formats.
Attack Vector
Exploitation requires user interaction. An attacker delivers a crafted link to a victim with an active session or browser access to the PHP Timeclock instance. When the victim clicks the link, the server reflects the payload and the browser executes it. The injected JavaScript runs with the privileges of the visiting user, enabling session cookie theft, form data exfiltration, and forced actions against the application. The vulnerability mechanism is described in the VulnCheck Advisory on PHP Timeclock and the Exploit-DB #49853 entry.
Detection Methods for CVE-2021-47967
Indicators of Compromise
- HTTP requests to login.php, timeclock.php, audit.php, or timerpt.php containing <script>, javascript:, onerror=, or URL-encoded equivalents in the path or query string.
- POST requests to timerpt.php with from_date or to_date parameter values containing HTML or JavaScript syntax instead of expected date formats.
- Web server access logs showing unusually long URI paths appended to PHP Timeclock endpoints.
Detection Strategies
- Deploy web application firewall (WAF) rules that inspect request paths and POST bodies for reflected XSS payload patterns targeting the affected endpoints.
- Enable verbose HTTP request logging on the PHP Timeclock host and review entries for script tags, event handlers, and encoded payloads.
- Correlate referrer headers with outbound requests from user browsers to identify phishing-driven exploitation attempts.
Monitoring Recommendations
- Alert on any POST request to timerpt.php where from_date or to_date fails strict date format validation.
- Monitor for repeated access attempts to PHP Timeclock endpoints from the same source IP with varied payload patterns, indicating fuzzing.
- Track browser-reported Content Security Policy (CSP) violations if CSP headers are deployed in front of the application.
How to Mitigate CVE-2021-47967
Immediate Actions Required
- Restrict access to PHP Timeclock 1.04 to trusted internal networks using firewall rules or VPN-only access until a fix is applied.
- Place the application behind a WAF configured with OWASP Core Rule Set XSS protections.
- Educate users about phishing links referencing the PHP Timeclock host and instruct them to avoid clicking unfamiliar URLs.
Patch Information
No official vendor patch is referenced in the advisory data. PHP Timeclock is hosted on the Timeclock Project Homepage and the PHP Timeclock Download Page. Organizations should evaluate replacing PHP Timeclock 1.04 with an actively maintained time tracking solution, or apply source-level fixes that HTML-encode all reflected input using htmlspecialchars() with ENT_QUOTES and validate from_date and to_date against a strict date regex.
Workarounds
- Add reverse proxy rules that strip or reject request paths and parameters containing <, >, or script keywords before they reach PHP Timeclock.
- Deploy a strict Content Security Policy header that disallows inline script execution to limit the impact of reflected payloads.
- Validate from_date and to_date server-side against a YYYY-MM-DD pattern and reject any non-conforming input.
# Example nginx configuration to block common XSS payloads in request URIs
location ~ \.(php)$ {
if ($request_uri ~* "(<|%3C)script|javascript:|onerror=|onload=") {
return 403;
}
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none'";
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
