10081.txt

Achievo 1.4.2 Arbitrary File Upload
===================================

Affected Applications: Confirmed in Achievo 1.4.2. Other versions may also be affected.
 
Severity: Medium â€“ CVSS: 6.8 (AV:L/AC:L/Au:S/C:C/I:C/A:C)
 
Vendor Status: New release available (Achievo 1.4.3)
 
Vulnerability Description:
 
The vulnerability is caused due to an improper check in â€œDocument Typesâ€ section under Setup menu,
allowing the upload of files with arbitrary extensions to a folder inside the Webroot. This can be
exploited to e.g. execute arbitrary PHP code by uploading a specially crafted PHP script containing
some kind of Web Shell.
Proof of Concept:
Select a file with any extension (including PHP) and upload it using the form. The file will be available
in:
 
http://server/modules/docmanager/doctypetemplates/myuploadedfile
 
For example, we can upload â€œcmd.phpâ€ in our instalation in localhost and execute it entering:
 
 
http://server/achievo-1.4.2/modules/docmanager/doctypetemplates/cmd.php
 
 
Impact:
 
Direct execution of arbitrary PHP code in the Web Server.
 
Solution:
 
Update the document manager and add a new config (docmanager_allowedfiletypes) for it in
/configs/docmanager.php.inc. With this config you can tell the docmanager what type of files a user can
upload.
 
Vendor Response:
2009-12-03 â€“ Vulnerability was identified
2009-12-03 â€“ Vendor contacted
2009-12-03 â€“ Vendor confirmed vulnerability
2009-12-03 â€“ Vendor released fixed version
2009-12-04 â€“ Vulnerability published

