Vulnerabilities > CVE-2002-1435 - Remote File Include Command Execution vulnerability in Achievo
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
class.atkdateattribute.js.php in Achievo 0.7.0 through 0.9.1, except 0.8.2, allows remote attackers to execute arbitrary PHP code when the 'allow_url_fopen' setting is enabled via a URL in the config_atkroot parameter that points to the code.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 10 |
Exploit-Db
description | Achievo 0.7/0.8/0.9 Remote File Include Command Execution Vulnerability. CVE-2002-1435. Webapps exploit for php platform |
id | EDB-ID:21745 |
last seen | 2016-02-02 |
modified | 2002-08-22 |
published | 2002-08-22 |
reporter | Jeroen Latour |
source | https://www.exploit-db.com/download/21745/ |
title | Achievo 0.7/0.8/0.9 - Remote File Include Command Execution Vulnerability |
Nessus
NASL family | CGI abuses |
NASL id | ACHIEVO_CODE_INJECTION.NASL |
description | The remote host is running Achievo, a web-based resource management tool written in PHP. The version of Achievo on the remote host includes a PHP script which is reported to be affected by a remote file include vulnerability. An attacker may use this flaw to inject arbitrary code in the remote host and gain a shell with the privileges of the web server. Note that this flaw is only present if PHP register_globals is set to |
last seen | 2020-06-01 |
modified | 2020-06-02 |
plugin id | 11109 |
published | 2002-08-22 |
reporter | This script is Copyright (C) 2002-2019 and is owned by Tenable, Inc. or an Affiliate thereof. |
source | https://www.tenable.com/plugins/nessus/11109 |
title | Achievo class.atkdateattribute.js.php config_atkroot Parameter Remote File Inclusion |