Achievo version 1.4.5 suffers from cross site scripting and remote SQL injection vulnerabilities.
Product: Achievo
Vendor: www.achievo.org
Vulnerable Version(s): 1.4.5 and probably prior
Tested Version: 1.4.5
Vendor Notification: November 14, 2012
Public Disclosure: December 5, 2012
Vulnerability Type: SQL Injection [CWE-89], Cross-Site Scripting [CWE-79]
CVE References: CVE-2012-5865, CVE-2012-5866
CVSSv2 Base Scores: 6 (AV:N/AC:M/Au:S/C:P/I:P/A:P), 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Risk Level: Medium
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )
-----------------------------------------------------------------------------------------------
Advisory Details:
High-Tech Bridge Security Research Lab discovered two vulnerabilities in Achievo, which can be exploited to perform SQL injection and cross-site scripting (XSS) attacks.
1) SQL Injection vulnerability in Achievo: CVE-2012-5865
The vulnerability was discovered in the "dispatch.php" script while handling the "activityid" HTTP GET parameter. A remote authenticated attacker can inject and execute arbitrary SQL commands in application's database. Successful exploitation of this vulnerability requires that an attacker is logged-in into application (registration is closed by default).
The following PoC (Proof of Concept) code outputs version of the MySQL server:
http://[host]/dispatch.php?atknodetype=project.activity&atkaction=stats&activityid=0%20UNION%20SELECT%201,version%28%29,3,4
Registration is closed by default.
2) Cross-Site Scripting (XSS) vulnerability in Achievo: CVE-2012-5866
Input sanitation error was found in the "include.php" script when handling the "field" HTTP GET parameter. A remote attacker can execute arbitrary HTML and script code in user's browser in context of a vulnerable website.
The following PoC (Proof of Concept) outputs user's cookie:
http://[host]/include.php?file=atk/popups/colorpicker.inc&field=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
-----------------------------------------------------------------------------------------------
Solution:
Currently we are not aware of any vendor-supplied patches or other solutions.
-----------------------------------------------------------------------------------------------
# 0day.today [2018-01-10] #