On Thu, Nov 01, 2012 at 02:12:10PM +0200, Netsparker Advisories wrote: > Information > -------------------- > Name : XSS, LFI and SQL Injection Vulnerabilities in Achievo > Software : Achievo 1.4.5 and possibly below. > Vendor Homepage : http://www.achievo.org > Vulnerability Type : Cross-Site Scripting, Local File Inclusion and SQL > Injection > Severity : Critical > Researcher : Canberk Bolat > Advisory Reference : NS-12-016 > > Description > -------------------- > Achievo is a flexible web-based resource management tool for business > environments. Achievo's resource management capabilities will enable > organisations to support their business processes in a simple, but > effective manner. > > Details > -------------------- > Achievo is affected by XSS, LFI and SQL Injection vulnerabilities in > version 1.4.5. > XSS: http://example.com/dispatch.php (GET: atklevel, atkaction, atkstackid, > atkselector, atkfilter, searchString) > LFI: > http://example.com/dispatch.php?atkaction=search&atknodetype=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini%00.search&searchstring=3 > SQL Injection: > http://example.com/achievo-1.4.5/dispatch.php?atknodetype=employee.userprefs&atkaction=edit&atkselector=(SELECT%201%20FROM%20(SELECT%20SLEEP(25))A)&atklevel=-1&atkprevlevel=0&=3 > You can read the full article about Cross-Site Scripting, LFI and SQL > Injection vulnerabilities from here: > > Cross-site Scripting (XSS): > http://www.mavitunasecurity.com/crosssite-scripting-xss/ > Local File Inclusion: http://www.mavitunasecurity.com/local-file-inclusion/ > Blind SQL Injection: http://www.mavitunasecurity.com/blind-sql-injection/ > > Solution > -------------------- > - > > Advisory Timeline > -------------------- > 23/01/2011 - First contact > 25/02/2012 - Second contact - No response > 01/11/2012 - Advisory released > > Credits > -------------------- > It has been discovered on testing of Netsparker, Web Application Security > Scanner - http://www.mavitunasecurity.com/netsparker/. > > References > -------------------- > Vendor Url / Patch : - > MSL Advisory Link : > http://www.mavitunasecurity.com/xss-lfi-and-sql-injection-vulnerabilities-in-achievo/ > Netsparker Advisories : > http://www.mavitunasecurity.com/netsparker-advisories/ > > About Netsparker > -------------------- > Netsparker® can find and report security issues such as SQL Injection and > Cross-site Scripting (XSS) in all web applications regardless of the > platform and the technology they are built on. Netsparker's unique > detection and exploitation techniques allows it to be dead accurate in > reporting hence it's the first and the only False Positive Free web > application security scanner. Where did you report this vulnerability? Achievo-project does reply to emails and fix security vulnerabilities. Does this vulnerability have CVE-identifier, which would help in communication. I can report this to the project again and request CVE-identifier if needed. Please confirm that this is OK for you. - Henri Salo
