[InterN0T] Achievo 1.3.4 - XSS Vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: [InterN0T] Achievo 1.3.4 - XSS Vulnerability
From: security@xxxxxxxxxxxx
Date: Thu, 28 May 2009 14:52:12 -0600
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Achievo - Cross Site Scripting Vulnerability

Version Affected: 1.3.4 (August 12, 2008) (newest)

Info: Achievo is a flexible web-based resource management tool for business
environments.
Achievo's resource management capabilities will enable organisations to support
their business processes in a simple, but effective manner.

A solution that fits seamlessly to the wishes of every organisation and offers
the possibility and freedom to adapt the functionality to the needs of the
organisation. It will fit into every organisation because Achievo is extremly
easy to change to your specific situation.

Opinion: Achievo seems to know what they're doing, or perhaps it's just because
99% of the platform is locked down.

Credits: webDEViL (for inspiring me) and all of InterN0T :-)

Googled0rk: (we were unable to produce an accurate d0rk)
inurl:/achievo/index.php intitle:achievo

However, why would One need a Googled0rk when One can just look here?
http://www.achievo.org/product/testimonials/

External Links:
http://www.achievo.org/
http://www.achievo.org/download/
http://www.achievo.org/demo/

Default Admin User:
administrator

-:: The Advisory ::-

Version Information:
http://www.website.tld/achievo/doc/CHANGES

Vulnerable Function / ID Calls: (XSS)
atkaction (this has to be used in conjunction with another main function call!)

Cross Site Scripting:
1. http://www.website.tld/achievo/index.php?";><script>alert(0)</script><br
Explained: The above has minimal impact as it's almost impossible if not
impossible to abuse. This works only when One is NOT logged in.

2.
http://www.website.tld/achievo/dispatch.php?atknodetype=pim.pim&atkaction=<script>alert(document.cookie)</script>
Explained: The above has greater impact as it will survive a login. This is not
filtered as well. This works only when One IS logged in.

Additional Information:
If: $config_session_regenerate = false; is set to 'true' in the config.inc.php
then the session id's will be regenerated on each hit/click preventing session
hijacking.

-:: Solution ::-
The most easy solution is to validate user input and strip or convert bad /
html characters. Setting the above to true might solve the issue partially,
however session hijacking is only one of the things you can do with cross site
scripting.

Conclusion:
Achievo seems generally like a secure system with exception for the above. This
advisory didn't contain that much, but it's still 1 very minor and 1 minor
hole. Basically the exploitation success all relies on the administrator or
user you execute this attack on.

Reference:
http://forum.intern0t.net/exploits-vulnerabilities-pocs/1053-intern0t-achievo-1-3-4-cross-site-scripting-vulnerability.html

Disclosure Information:
- Vulnerabilities found, researched and confirmed the 27th and 28th May 2009.
- Advisory finished and published on InterN0T the 28th May.
- Bugtraq (SecurityFocus) and Milw0rm contacted the 28th May.
*Achievo will be contacted soon as well.

All of the best,
MaXe

Prev by Date: Novell Groupwise fails to properly sanitize emails.
Next by Date: Re: Re: [InterN0T] AMember 3.1.7 - Multiple Vulnerabilities
Previous by thread: Novell Groupwise fails to properly sanitize emails.
Next by thread: Re: [InterN0T] Achievo 1.3.4 - XSS Vulnerability
Index(es):
- Date
- Thread