exploit the possibilities

Achievo 1.4.5 Cross Site Scripting / SQL Injection

Achievo 1.4.5 Cross Site Scripting / SQL Injection
Posted Dec 7, 2012
Authored by High-Tech Bridge SA | Site htbridge.com

Achievo version 1.4.5 suffers from cross site scripting and remote SQL injection vulnerabilities.

tags | exploit, remote, vulnerability, xss, sql injection
advisories | CVE-2012-5865, CVE-2012-5866
MD5 | 9c94bf8aa4cdb768e2fc610b4f4721bf

Achievo 1.4.5 Cross Site Scripting / SQL Injection

Change Mirror Download
Advisory ID: HTB23126
Product: Achievo
Vendor: www.achievo.org
Vulnerable Version(s): 1.4.5 and probably prior
Tested Version: 1.4.5
Vendor Notification: November 14, 2012
Public Disclosure: December 5, 2012
Vulnerability Type: SQL Injection [CWE-89], Cross-Site Scripting [CWE-79]
CVE References: CVE-2012-5865, CVE-2012-5866
CVSSv2 Base Scores: 6 (AV:N/AC:M/Au:S/C:P/I:P/A:P), 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Risk Level: Medium
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )

-----------------------------------------------------------------------------------------------

Advisory Details:

High-Tech Bridge Security Research Lab discovered two vulnerabilities in Achievo, which can be exploited to perform SQL injection and cross-site scripting (XSS) attacks.


1) SQL Injection vulnerability in Achievo: CVE-2012-5865

The vulnerability was discovered in the "dispatch.php" script while handling the "activityid" HTTP GET parameter. A remote authenticated attacker can inject and execute arbitrary SQL commands in application's database. Successful exploitation of this vulnerability requires that an attacker is logged-in into application (registration is closed by default).

The following PoC (Proof of Concept) code outputs version of the MySQL server:

http://[host]/dispatch.php?atknodetype=project.activity&atkaction=stats&activityid=0%20UNION%20SELECT%201,version%28%29,3,4
Registration is closed by default.


2) Cross-Site Scripting (XSS) vulnerability in Achievo: CVE-2012-5866

Input sanitation error was found in the "include.php" script when handling the "field" HTTP GET parameter. A remote attacker can execute arbitrary HTML and script code in user's browser in context of a vulnerable website.

The following PoC (Proof of Concept) outputs user's cookie:
http://[host]/include.php?file=atk/popups/colorpicker.inc&field=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E

-----------------------------------------------------------------------------------------------

Solution:

Currently we are not aware of any vendor-supplied patches or other solutions.

-----------------------------------------------------------------------------------------------

References:

[1] High-Tech Bridge Advisory HTB23126 - https://www.htbridge.com/advisory/HTB23126 - Multiple vulnerabilities in Achievo.
[2] Achievo - http://www.achievo.org/ - Achievo is a flexible web-based resource management tool for business environments. Achievo's resource management capabilities will enable organisations to support their business processes in a simple, but effective manner.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.

-----------------------------------------------------------------------------------------------

Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.
Login or Register to add favorites

File Archive:

September 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    14 Files
  • 2
    Sep 2nd
    19 Files
  • 3
    Sep 3rd
    9 Files
  • 4
    Sep 4th
    1 Files
  • 5
    Sep 5th
    2 Files
  • 6
    Sep 6th
    3 Files
  • 7
    Sep 7th
    12 Files
  • 8
    Sep 8th
    22 Files
  • 9
    Sep 9th
    17 Files
  • 10
    Sep 10th
    19 Files
  • 11
    Sep 11th
    3 Files
  • 12
    Sep 12th
    2 Files
  • 13
    Sep 13th
    15 Files
  • 14
    Sep 14th
    16 Files
  • 15
    Sep 15th
    15 Files
  • 16
    Sep 16th
    7 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close