Vulnerabilities > CVE-2002-1435 - Remote File Include Command Execution vulnerability in Achievo

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
achievo
nessus
exploit available

Summary

class.atkdateattribute.js.php in Achievo 0.7.0 through 0.9.1, except 0.8.2, allows remote attackers to execute arbitrary PHP code when the 'allow_url_fopen' setting is enabled via a URL in the config_atkroot parameter that points to the code.

Exploit-Db

descriptionAchievo 0.7/0.8/0.9 Remote File Include Command Execution Vulnerability. CVE-2002-1435. Webapps exploit for php platform
idEDB-ID:21745
last seen2016-02-02
modified2002-08-22
published2002-08-22
reporterJeroen Latour
sourcehttps://www.exploit-db.com/download/21745/
titleAchievo 0.7/0.8/0.9 - Remote File Include Command Execution Vulnerability

Nessus

NASL familyCGI abuses
NASL idACHIEVO_CODE_INJECTION.NASL
descriptionThe remote host is running Achievo, a web-based resource management tool written in PHP. The version of Achievo on the remote host includes a PHP script which is reported to be affected by a remote file include vulnerability. An attacker may use this flaw to inject arbitrary code in the remote host and gain a shell with the privileges of the web server. Note that this flaw is only present if PHP register_globals is set to
last seen2020-06-01
modified2020-06-02
plugin id11109
published2002-08-22
reporterThis script is Copyright (C) 2002-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/11109
titleAchievo class.atkdateattribute.js.php config_atkroot Parameter Remote File Inclusion