| VID |
21218 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The Achievo tool is vulnerable to an arbitrary code execution attack.
Achievo is a web-based project management tool for business-environments. The vulnerability containing this tool allows an attacker to execute arbitrary PHP code under the permissions of the web server.
The problem exists in atk/javascript/class.atkdateattribute.js.php, a PHP script which generates JavaScript code. This file contains a series of 5 include_once statements, to load configuration data and function libraries. The location of these files are apparently set by the $config_atkroot, a variable which isn't set anywhere in the script.
This allows the attacker to specify $config_atkroot as a GET/POST/COOKIE variable and instruct the server to open a text file on a web server, and interpret that file as a PHP script.
The attacker can insert any code in the text file, instructing the server to read configuration or password files, execute database queries, or even remove files under the permissions of the web server.
* References:
http://www.achievo.org/
http://www.iss.net/security_center/static/9947.php
Platforms Affected:
Achievo 0.8.1
Achievo 0.8.0
Achievo 0.8.0 RC2
Achievo 0.8.0 RC1 |
| Recommendation |
Upgrade to Achievo 0.8.2 or later, available from, http://www.achievo.org/download/
As a workaround, remove the references to $config_atkroot in the include_once statements at the top of atk/javascript/class.atkdateattribute.js.php. |
| Related URL |
CVE-2002-1435 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
