Ivan Marković
Security consultant and researcher
Long experience in designing and implementation of security solutions, mainly oriented on web, mobile and embedded applications. Author of penetration testing tools, recognized by OWASP organization and BackTrack Linux distribution. Researching work includes discovery of vulnerabilities of numeral applications and services, and for these, author received public apreciations by Microsoft Company..
vtiger CRM Multiple Vulnerabilities
|| Security Net Advisory #D.3.9.06.a
Title : Vtiger CRM version 4.2.4 Multiple Vulnerabilities
Impact : Cross Site Scripting
Security Bypass
Remote Command Execution
Type : Remote
Vendor :
- Url : http://www.vtiger.com
- Status : Vendor was first contacted on 29.8.2006.
|| Vulnerability
1. FileUpload
In root of aplication we can find file fileupload.html.
There is no any checking of privileges and files are uploaded in
/cashe/mails/ folder. We can upload and execute any file.
2. XSS
Content of variable 'description' in all modules is not properly
sanitised before returning to user. This can be exploited to
execute arbitrary HTML and script code in a user's browser session.
Content of variable 'solution' in module 'HelpDesk' is not properly
sanitised before returning to user. This can be exploited to
execute arbitrary HTML and script code in a user's browser session.
3. Privileges bypass
Any user can access administrators modules with using URLs of wanted
modules, options, etc ... There is no privileges check.
Example:
If we loged as no-admin user we can visit link:
http://[host]/[vtiger_crm]/index.php?module=Settings&action=index,
and use settings module.
|| Contact
Author: Ivan Markovic
Site: www.security-net.biz
http://www.securityfocus.com/bid/19829
http://www.security-net.biz/adv/D3906a.txt
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4617
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4587
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4588