Arbitrary code execution problem in Achievo
Table of Contents
Summary / Impact analysis
Achievo is a web-based project management tool for business-environments. It has been found to be vulnerable to an arbitrary code execution attack.
This vulnerability allows an attacker to execute arbitrary PHP code under the permissions of the web server. The only condition is that the attacker must be able to store code on a server that is accessible by the web server. Unless the web server is behind a firewall which blocks outbound connections from the web server, this is usually not a problem.
The attacker does not need to have an account on the Achievo installation to be able to exploit this vulnerability.
The following stable versions are affected: Achievo 0.8.1 Achievo 0.8.0 Achievo 0.8.0 RC2 Achievo 0.8.0 RC1
The following development versions are affected: Achievo 0.9.1 Achievo 0.9.0 Achievo 0.7.3 Achievo 0.7.2 Achievo 0.7.1 Achievo 0.7.0
A new stable version, Achievo 0.8.2, has been released which fixes this problem. A new development version should follow soon.
$config_atkroot = '../../';
at the top of class.atkdateattribute.js.php
This allows the attacker to specify $config_atkroot as a GET/POST/COOKIE variable and instruct the server to open a text file on a web server, and interpret that file as a PHP script.
For example: we create a text file containing the following line:
<?php system('ls'); ?>
and save this in a webroot somewhere (i.e. http://attacker/ls.txt).
We then open our browser and pass this url, followed by a question mark, on to class.atkdate.attribute.js.php:
The output of the 'ls' should be in the output of the PHP script. Note that the script is executed several times: once for every include_once statement.
This is a relatively harmless example which only works on UNIX, Windows installations require a <?php system('dir'); ?>. A malicious attacker can insert any code in the text file, instructing the server to read configuration or password files, execute database queries, or even remove files (within the limits of the web server's permissions).
Achievo can be found at: http://www.achievo.org/ Achievo 0.8.2, which fixes this vulnerability, is available at: http://www.achievo.org/download/