Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

SEC-20051125-0.txt

🗓️ 30 Nov 2005 00:00:00Reported by Daniel FabianType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 47 Views

Even More Vulnerabilities in VTiger CRM. Multiple serious vulnerabilities found

Code
`SEC-CONSULT Security Advisory < 20051125-0 >  
=======================================================================  
title: Even More Vulnerabilities in VTiger CRM  
program: vtiger CRM  
vulnerable version: 4.2 and earlier  
homepage: http://www.vtiger.com  
found: 2005-11-06  
by: D. Fabian / SEC-CONSULT / www.sec-consult.com  
=======================================================================  
  
Vendor Description:  
---------------  
  
vtiger CRM is an Open Source CRM software mainly for small and medium  
businesses. vtiger CRM is built over proven, fast, and reliable LAMP/WAMP  
(Linux/Windows, Apache, MySQL, and PHP) technologies and other open  
source projects.  
  
vtiger CRM leverages the benefits of Open Source software and adds more  
value to the end-users by providing many enterprise features, such as  
sales force automation, customer support & service, marketing automation,  
inventory management, multiple database support, security management,  
product customization, calendaring, E-mail integration, add-ons, and  
others.  
  
[Source: www.vtiger.com]  
  
  
Vulnerabilty Overview:  
---------------  
  
A short security analysis of the CRM system revealed multiple serious  
vulnerabilities that might result in:  
- administrator account takeover,  
- cookie/session information theft,  
- database manipulation (reading & deleting data),  
- remote code execution.  
  
The following classes of security vulnerabilities have been found:  
- SQL Injection  
- Cross Site Scripting  
- Path Traversal/File Disclosure  
- Code Execution  
- Arbitrary File Upload  
  
It seems that Christopher Kunz from the hardened-php project  
independently also discovered some of the exploits described in this  
advisory. Since they released their advisory without a patch being  
available, customer risk is already high and we'd like to add the  
results of our research.  
  
  
Vulnerability Details:  
---------------  
  
### Multiple SQL Injection Vulnerabilities  
Practically all SQL statements in vtiger CRM are vulnerable to SQL  
injection. Most seriously, the login form is vulnerable, and can be  
tricked into logging in as administrator by supplying the form with a  
username like "admin' or '1'='1" and an arbitrary password.  
But also the record parameter is vulnerable to SQL injection and can be  
used to delete or read data (e.g. index.php?action=EditView&module=  
Contacts&record=15+or+1=1&return_module=Contacts&return_action=index).  
Noteably, these attacks also work if the "magic_quote" parameter in  
php.ini is set to "on".  
  
### Cross Site Scripting  
Just like with SQL Injection, most parameters are vulnerable to XSS.  
Most seriously however, the values stored in the database are also not  
filtered for HTML tags. Thus it is possible to create for example a new  
account with a name like "<script>alert(123)</script>". Whenever another  
user has a look at the list of accounts, the javascript is executed. This  
allows an attacker to collect cookies from other users to subsequently  
perform session highjacking attacks.  
  
### Path Traversal/File Disclosure  
Multiple parameters are vulnerable to file disclosure attacks. These  
attacks are based on unchecked user input being used in "include" or  
"require" php functions. On the one hand, this allows an attacker to  
disclose arbitrary files from the webserver. On the other hand, in  
conjunction with the file upload functionality, the flaw can be used to  
perform remote command execution, by simply uploading a file containing  
php code and including it using the following attacks:  
  
index.php?module=../../../../../../../etc/hosts%00&action=index&record=  
index.php?module=Leads&action=../../../../../../etc/hosts%00&record=  
  
These attacks can also be performed even if the php parameter  
magic_quotes is "on".  
  
  
### Remote Code Execution  
The file given by the parameter "templatename" is parsed and its input is  
passed to eval() without any prior validation.  
  
Example:  
index.php?module=Users&action=TemplateMerge&templatename=  
/path/to/malicious/uploaded/file  
  
  
### Arbitrary File Upload  
Using the URL index.php?module=uploads&action=add2db it is possible to  
upload arbitrary files, including files with the .php extension,  
resulting in arbitrary code execution.  
  
Additional Comments:  
---------------  
  
This advisory is by no means a complete listing of all vulnerabilities in  
vtiger CRM. It is very likely that there is quite a number of more flaws.  
We'd like to stretch that our research was conducted independently and  
without knowledge of Christopher Kunz's results. Since it's a first come  
first serve world, credits for a subset of the flaws described in this  
advisory go to him.  
  
  
Vulnerable Versions:  
---------------  
  
All of the above vulnerabilities have been found in vtiger CRM version  
4.2. Earlier versions are very likely also vulnerable to the described  
attacks.  
  
  
Recommended Fix:  
---------------  
  
In our opinion it is currently impossible to deploy a secure installation  
of vtiger CRM without major changes to the source code. As a very limited  
workaround apply directory authentication (e.g. htaccess) in order to at  
least allow only authorized users access to the application. However this  
of course won't keep authorized users from applying the exploits and  
gaining administrative access to vtiger.  
  
  
Vendor status:  
---------------  
vendor notified: 2005-11-09  
vendor response: 2005-11-23  
patch available: According to vendor a fixed version 4.5 alpha is going  
to be released by the end of this week. As Christopher Kunz from the  
hardened-php project already published the exploits they found, the  
additional risk for customers caused by this advisory is negligible.  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
SEC Consult Unternehmensberatung GmbH  
  
Office Vienna  
Blindengasse 3  
A-1080 Wien  
Austria  
  
Tel.: +43 / 1 / 409 0307 - 570  
Fax.: +43 / 1 / 409 0307 - 590  
Mail: office at sec-consult dot com  
www.sec-consult.com  
  
EOF Daniel Fabian / @2005  
d.fabian at sec-consult dot com  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
30 Nov 2005 00:00Current
7.4High risk
Vulners AI Score7.4
vtiger crmsecurity vulnerabilitiessql injectioncross site scriptingpath traversalfile disclosureremote code executioncustomer risk
47