CRM-CTT View Arbitrary PDF

2004-01-11T00:00:00
ID OSVDB:3503
Type osvdb
Reporter OSVDB
Modified 2004-01-11T00:00:00

Description

Vulnerability Description

CRM-CTT contains a flaw that allows a limited access authenticated user to access arbitrary PDF files. The issue was due to a lack of security check in the management summary PDF routine. If a limited access user knew the direct link to the script that generates PDF files, the user could request any PDF regardless of authentication requirements.

Solution Description

Upgrade to version 1.9.5 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

CRM-CTT contains a flaw that allows a limited access authenticated user to access arbitrary PDF files. The issue was due to a lack of security check in the management summary PDF routine. If a limited access user knew the direct link to the script that generates PDF files, the user could request any PDF regardless of authentication requirements.

References:

Vendor URL: http://crm-ctt.sourceforge.net/