vtiger CRM version 5.4.0 suffers from a remote SQL injection vulnerability.
Product: vtiger CRM
Vendor: vtiger
Vulnerable Version(s): 5.4.0 and probably prior
Tested Version: 5.4.0
Vendor Notification: August 7, 2013
Vendor Patch: September 17, 2013
Public Disclosure: September 18, 2013
Vulnerability Type: SQL Injection [CWE-89]
CVE Reference: CVE-2013-5091
Risk Level: Medium
CVSSv2 Base Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )
-----------------------------------------------------------------------------------------------
Advisory Details:
High-Tech Bridge Security Research Lab discovered SQL injection vulnerability in vtiger CRM, which can be exploited to execute arbitrary SQL commands in application's database.
1) SQL Injection in vtiger CRM: CVE-2013-5091
The vulnerability exists due to insufficient validation of "onlyforuser" HTTP GET parameter passed to "/index.php" script. A remote authenticated user can execute arbitrary SQL commands in application's database.
The following exploitation example displays version of MySQL server:
http://[host]/index.php?action=index&day=22&hour=0&module=Calendar&month=7&onlyforuser=1%20%20UNION%20SELECT%201,2,3,4,5,6,version%28%29,8,9,10,11,12,13,14,15,16,17,18,19,20,1,22,23,24,25,26,27,28,29,30,31,32%20--%20&parenttab=My%20Home%20Page&subtab=event&view=day&viewOption=hourview&year=2013
Successful exploitation of this vulnerability requires the attacker to be registered and logged-in. The registration is disabled by default.
-----------------------------------------------------------------------------------------------
Solution:
Vendor has issued a fixed version of the vulnerable script "VtigerCRM540_Security_Patch2.zip" available for download at:
http://sourceforge.net/projects/vtigercrm/files/vtiger%20CRM%205.4.0/Core%20Product/
-----------------------------------------------------------------------------------------------
# 0day.today [2018-01-11] #