High-Tech Bridge Security Research Lab discovered SQL injection vulnerability in vtiger CRM, which can be exploited to execute arbitrary SQL commands in application’s database.
- SQL Injection in vtiger CRM: CVE-2013-5091
The vulnerability exists due to insufficient validation of “onlyforuser” HTTP GET parameter passed to “/index.php” script. A remote authenticated user can execute arbitrary SQL commands in application’s database.
The following exploitation example displays version of MySQL server:
http://[host]/index.php?action=index&day=22&hour=0&module=Calendar&month=7&o nlyforuser=1%20%20UNION%20SELECT%201,2,3,4,5,6,version%28%29,8,9,10,11,12,13 ,14,15,16,17,18,19,20,1,22,23,24,25,26,27,28,29,30,31,32%20–%20&parenttab=M y%20Home%20Page&subtab=event&view=day&viewOption=hourview&year=2013
Successful exploitation of this vulnerability requires the attacker to be registered and logged-in. The registration is disabled by default.
Blind[!] SQL injection vulnerability in the same parameter of the vulnerable script was discovered in old version of vtiger CRM (5.2.1) on October 5, 2011 by Aung Khant: http://osvdb.org/76138