Cenzic 232 Patent
Paid Advertising
web application security lab

Achievo XSS And Other Stuff

This weekend I stumbled upon a Achievo install on an Intranet environment and lo and behold - it had a security vulnerability in it. Actually it had other issues too, like open directories, misconfiguration that allowed attackers to read all the include files, etcetera. Not the most secure software in the world and seen fairly often on Intranet environments. It’s project management software for time tracking. From what I understand it’s free or they have a free version which makes it more attractive to SMBs that have professional services.

Click here for the live demo of the problem. The example on the Intranet environment that I saw was slightly different: http://ip/?auth_user=%22%3E%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E

It also looks like it may be vulnerable to SQL injections, although I didn’t press on this issue much, due to time constraints. Either way, if you are using this software, I’d recommend putting it behind a basic auth script or something to protect yourself from being automatically sent there by attackers, and if you run it on your external environment even more so.

6 Responses to “Achievo XSS And Other Stuff”

  1. beford Says:

    its vulnerable to PHP_SELF XSS too. (not sure if wordpress filter will strip out poc url)

    http://www.achievo.org/demo_eng/index.php/%22%3E%3Cscript%3Ealert(/XSS/.source)%3C/script%3E?Apache=&auth_user=&auth_pw=&achievo=&auth_user=&auth_pw=

  2. Spyware Says:

    The password field is xssable in the same way (auth_pass). Pretty obvious but hey, it’s worth mentioning.

  3. mybeNi websecurity Says:

    Hey, I got the first Weblog XSS Worm based on several new Wordpress 2.2.1 Security Vulnerabilities I found these days.

    Check it out
    cheers benjamin

  4. Laurens Greven Says:

    And there’s more!

    http://www.achievo.org/%22%3E%3Cscript%3Ealert(1337)%3C/script%3E

  5. hackathology Says:

    Nice find Rsnake. I had been looking for a project management time tracking system until i found this. Of course, it is not very secure, however, as suggested, put some form of authentication before deploying it.

  6. Ivo Says:

    Hey guys,

    although it would’ve been more convenient had the issue been emailed to us directly, we still appreciate pointing out the problems. :-) (thank you google alerts :))

    We’ve updated the demo on the page to the latest version in which most of these issues were fixed. Some of them are still possible I see, we will fix those ASAP. Achievo is mostly deployed on internal environments in small companies but still we recognize that it should be as secure as possible.