Bonsai Information Security - Vulnerability Research

Multiple XSS in Achievo



1. Advisory Information

Advisory ID: BONSAI-2009-0101
Date published: 2009-08-25
Vendors contacted: Achievo
Release mode: Coordinated release


2. Vulnerability Information

Class: Multiple Cross Site Scripting (XSS)
Remotely Exploitable: Yes
Locally Exploitable: YES
CVE Name: TBD


3. Software Description

Achievo is a flexible web-based resource management tool for business environments. Achievo's resource management capabilities will enable organisations to support their business processes in a simple, but effective manner [0].


4. Vulnerability Description

Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted web sites. Cross-site scripting (XSS) attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user in the output it generates without validating or encoding it.

For additional information, please read [1].


5. Vulnerable packages

Version <= 1.3.4


6. Non-vulnerable packages

Achievo developers informed us that all users should upgrade to the latest version of Achievo, which fixes this vulnerability. More information to be found here:
http://www.achievo.org/


7. Credits

This vulnerability was discovered by Ryan Dewhurst ( ryan -at- bonsai-sec.com ).


8. Technical Description

A Persistent Cross Site Scripting vulnerability was found in the 'tittle' variable within the scheduler module. This is because the application does not properly sanitise the users input. The vulnerability can be triggered by a user submitting the following data within the scheduler title:


Which will include the xss.js javascript file within the schedule. A javascript that exploits this issue and creates a new administrator user in the system can be found in Bonsai's blog [2]

8.2 A Reflected Cross Site Scripting vulnerability was found in the atksearch[contractnumber], atksearch_AE_customer[customer] and atksearchmode[contracttype] variables within the 'Organisation Contracts' administration page. This is because the application does not properly sanitise the users input. The vulnerability can be triggered by clicking on the following URL:


http://www.example.com/dispatch.php?atkprevlevel=0&atkescape=&atknodetype=organization.contracts&atkaction=admin&atksmartsearch=clear&atkstartat=0&atksearch[contractnumber]="><script>alert('xss');</script>&atksearchmode[contractnumber]=substring&atksearch[contractname]="><script>alert('xss');\</script>&atksearchmode[contractname]=substring&atksearch_AE_contracttype[contracttype][=&atksearchmode[contracttype]=exact&atksearch_AE_customer[customer]="><script>alert('xss');\</script>&atksearchmode[customer]=substring


9. Report Timeline

  1. 2009-07-09:
  2. Vulnerabilities were identified.

  3. 2009-08-08:
  4. Vendor contacted.

  5. 2009-08-25:
  6. The advisory BONSAI-2009-0101 is published.


10. References

[0] http://www.achievo.org/

[1] http://www.owasp.org/index.php/Cross_site_scripting

[2] http://www.bonsai-sec.com/blog/


11. About Bonsai

Bonsai is a company involved in providing professional computer information security services. Currently a sound growth company, since its foundation in early 2009 in Buenos Aires, Argentina, we are fully committed to quality service, and focused on our customers real needs.


12. Disclaimer

The contents of this advisory are copyright (c) 2009 Bonsai Information Security, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.