Recent
[BONSAI] XSS and SQL Injection in Achievo <= 1.3.4
Today Andres Riancho owner of Bonsai Information Security (Argentina) and lead developer of w3af has released a couple of advisories on vulnerabilities in Achievo <= 1.3.4 which we found a few months ago after our vulnerability research into common web applications.
The affected web application is Achievo <= 1.3.4. Achievo suffered from multiple simple persistent XSS vulnerabilities within their scheduler module and an SQL injection vulnerability within their dispatch.php file.
Achievo is a flexible web-based resource management tool for business
environments. Achievo’s resource management capabilities will enable
organisations to support their business processes in a simple, but effective
manner.
I and Andres worked on quite an novel (to me) payload for the persistent XSS vulnerability which we found. Essentially the payload we worked on was an AJAX script which sent POST requests to the vulnerable application in order to escalate a users privileges. A write up by Andres on the payload can be found here: http://www.bonsai-sec.com/blog/index.php/cross-site-scripting-payloads/
For the original advisories:
All vulnerabilities found were disclosed in an ethical manner. We worked along side the affected application developers in order to fix the vulnerabilities found. The advisories were not published until the developers had fixed and updated their software.
