1 Affected Applications: Confirmed in Achievo 1.4.2. Other versions may also be affected.
3 Severity: Medium M−^V CVSS: 6.8 (AV:L/AC:L/Au:S/C:C/I:C/A:C)
5 Vendor Status: New release available (Achievo 1.4.3)
7 Reference to Vulnerability Disclosure Policy: http://www.cybsec.com/vulnerability_policy.pdf
9 Vulnerability Description:
11 The vulnerability is caused due to an improper check in M−^SDocument TypesM−^T section under Setup menu,
12 allowing the upload of files with arbitrary extensions to a folder inside the Webroot. This can be
13 exploited to e.g. execute arbitrary PHP code by uploading a specially crafted PHP script containing
14 some kind of Web Shell.
15 Proof of Concept:
16 Select a file with any extension (including PHP) and upload it using the form. The file will be available
21 For example, we can upload M−^Scmd.phpM−^T in our instalation in localhost and execute it entering:
29 Direct execution of arbitrary PHP code in the Web Server.
33 Update the document manager and add a new config (docmanager_allowedfiletypes) for it in
34 /configs/docmanager.php.inc. With this config you can tell the docmanager what type of files a user can
37 Vendor Response:
38 2009−12−03 M−^V Vulnerability was identified
39 2009−12−03 M−^V Vendor contacted
40 2009−12−03 M−^V Vendor confirmed vulnerability
41 2009−12−03 M−^V Vendor released fixed version
42 2009−12−04 M−^V Vulnerability published
44 Contact Information:
45 For more information regarding the vulnerability feel free to contact the researcher at
46 ngrisolia <at> cybsec <dot> com
48 About CYBSEC S.A. Security Systems
50 Since 1996 CYBSEC S.A. is devoted exclusively to provide professional services specialized in
51 Computer Security. More than 150 clients around the globe validate our quality and professionalism.
52 To keep ob