CRM-CTT Management Page Access

2003-06-20T00:00:00
ID OSVDB:3502
Type osvdb
Reporter OSVDB
Modified 2003-06-20T00:00:00

Description

Vulnerability Description

CRM-CTT contains a flaw that allows a regular authenticated user to gain access to administrative pages and functions. The issue is due to the "edit extra fields" page not verifying user credentials before honoring the request.

Solution Description

Upgrade to version 1.8 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround: Disable the "edit extra fields" button.

Short Description

CRM-CTT contains a flaw that allows a regular authenticated user to gain access to administrative pages and functions. The issue is due to the "edit extra fields" page not verifying user credentials before honoring the request.

References:

Vendor URL: http://crm-ctt.sourceforge.net/ Other Advisory URL: http://crmstage.it-combine.com/sumpdf.php?pdf=46