lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20121102063742.GA29991@kludge.henri.nerv.fi>
Date: Fri, 2 Nov 2012 08:37:42 +0200
From: Henri Salo <henri@...v.fi>
To: Netsparker Advisories <advisories@...itunasecurity.com>
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: Re: XSS,
 LFI and SQL Injection Vulnerabilities in Achievo

On Thu, Nov 01, 2012 at 02:12:10PM +0200, Netsparker Advisories wrote:
> Information
> --------------------
> Name :  XSS, LFI and SQL Injection Vulnerabilities in Achievo
> Software :  Achievo 1.4.5 and possibly below.
> Vendor Homepage :  http://www.achievo.org
> Vulnerability Type :  Cross-Site Scripting, Local File Inclusion and SQL
> Injection
> Severity :  Critical
> Researcher :  Canberk Bolat
> Advisory Reference :  NS-12-016
> 
> Description
> --------------------
> Achievo is a flexible web-based resource management tool for business
> environments. Achievo's resource management capabilities will enable
> organisations to support their business processes in a simple, but
> effective manner.
> 
> Details
> --------------------
> Achievo is affected by XSS, LFI and SQL Injection vulnerabilities in
> version 1.4.5.
> XSS: http://example.com/dispatch.php (GET: atklevel, atkaction, atkstackid,
> atkselector, atkfilter, searchString)
> LFI:
> http://example.com/dispatch.php?atkaction=search&atknodetype=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini%00.search&searchstring=3
> SQL Injection:
> http://example.com/achievo-1.4.5/dispatch.php?atknodetype=employee.userprefs&atkaction=edit&atkselector=(SELECT%201%20FROM%20(SELECT%20SLEEP(25))A)&atklevel=-1&atkprevlevel=0&=3
> You can read the full article about Cross-Site Scripting, LFI and SQL
> Injection vulnerabilities from here:
> 
> Cross-site Scripting (XSS):
> http://www.mavitunasecurity.com/crosssite-scripting-xss/
> Local File Inclusion: http://www.mavitunasecurity.com/local-file-inclusion/
> Blind SQL Injection: http://www.mavitunasecurity.com/blind-sql-injection/
> 
> Solution
> --------------------
> -
> 
> Advisory Timeline
> --------------------
> 23/01/2011 - First contact
> 25/02/2012 - Second contact - No response
> 01/11/2012 - Advisory released
> 
> Credits
> --------------------
> It has been discovered on testing of Netsparker, Web Application Security
> Scanner - http://www.mavitunasecurity.com/netsparker/.
> 
> References
> --------------------
> Vendor Url / Patch : -
> MSL Advisory Link :
> http://www.mavitunasecurity.com/xss-lfi-and-sql-injection-vulnerabilities-in-achievo/
> Netsparker Advisories :
> http://www.mavitunasecurity.com/netsparker-advisories/
> 
> About Netsparker
> --------------------
> Netsparker® can find and report security issues such as SQL Injection and
> Cross-site Scripting (XSS) in all web applications regardless of the
> platform and the technology they are built on. Netsparker's unique
> detection and exploitation techniques allows it to be dead accurate in
> reporting hence it's the first and the only False Positive Free web
> application security scanner.

Where did you report this vulnerability? Achievo-project does reply to emails and fix security vulnerabilities. Does this vulnerability have CVE-identifier, which would help in communication.

I can report this to the project again and request CVE-identifier if needed. Please confirm that this is OK for you.

- Henri Salo

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ