[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] XSS, LFI and SQL Injection Vulnerabilities in Achievo



On Thu, Nov 01, 2012 at 02:12:10PM +0200, Netsparker Advisories wrote:
> Information
> --------------------
> Name :  XSS, LFI and SQL Injection Vulnerabilities in Achievo
> Software :  Achievo 1.4.5 and possibly below.
> Vendor Homepage :  http://www.achievo.org
> Vulnerability Type :  Cross-Site Scripting, Local File Inclusion and SQL
> Injection
> Severity :  Critical
> Researcher :  Canberk Bolat
> Advisory Reference :  NS-12-016
> 
> Description
> --------------------
> Achievo is a flexible web-based resource management tool for business
> environments. Achievo's resource management capabilities will enable
> organisations to support their business processes in a simple, but
> effective manner.
> 
> Details
> --------------------
> Achievo is affected by XSS, LFI and SQL Injection vulnerabilities in
> version 1.4.5.
> XSS: http://example.com/dispatch.php (GET: atklevel, atkaction, atkstackid,
> atkselector, atkfilter, searchString)
> LFI:
> http://example.com/dispatch.php?atkaction=search&atknodetype=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini%00.search&searchstring=3
> SQL Injection:
> http://example.com/achievo-1.4.5/dispatch.php?atknodetype=employee.userprefs&atkaction=edit&atkselector=(SELECT%201%20FROM%20(SELECT%20SLEEP(25))A)&atklevel=-1&atkprevlevel=0&=3
> You can read the full article about Cross-Site Scripting, LFI and SQL
> Injection vulnerabilities from here:
> 
> Cross-site Scripting (XSS):
> http://www.mavitunasecurity.com/crosssite-scripting-xss/
> Local File Inclusion: http://www.mavitunasecurity.com/local-file-inclusion/
> Blind SQL Injection: http://www.mavitunasecurity.com/blind-sql-injection/
> 
> Solution
> --------------------
> -
> 
> Advisory Timeline
> --------------------
> 23/01/2011 - First contact
> 25/02/2012 - Second contact - No response
> 01/11/2012 - Advisory released
> 
> Credits
> --------------------
> It has been discovered on testing of Netsparker, Web Application Security
> Scanner - http://www.mavitunasecurity.com/netsparker/.
> 
> References
> --------------------
> Vendor Url / Patch : -
> MSL Advisory Link :
> http://www.mavitunasecurity.com/xss-lfi-and-sql-injection-vulnerabilities-in-achievo/
> Netsparker Advisories :
> http://www.mavitunasecurity.com/netsparker-advisories/
> 
> About Netsparker
> --------------------
> Netsparker® can find and report security issues such as SQL Injection and
> Cross-site Scripting (XSS) in all web applications regardless of the
> platform and the technology they are built on. Netsparker's unique
> detection and exploitation techniques allows it to be dead accurate in
> reporting hence it's the first and the only False Positive Free web
> application security scanner.

Where did you report this vulnerability? Achievo-project does reply to emails and fix security vulnerabilities. Does this vulnerability have CVE-identifier, which would help in communication.

I can report this to the project again and request CVE-identifier if needed. Please confirm that this is OK for you.

- Henri Salo