vtiger CRM 5.2.1 Multiple Remote Cross-Site Scripting Vulnerabilities

2011-10-26T00:00:00
ID ZSL-2011-5052
Type zeroscience
Reporter Gjoko Krstic
Modified 2011-10-26T00:00:00

Description

Title: vtiger CRM 5.2.1 Multiple Remote Cross-Site Scripting Vulnerabilities
Advisory ID: ZSL-2011-5052
Type: Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 26.10.2011

Summary

vtiger CRM is a free, full-featured, 100% Open Source CRM software ideal for small and medium businesses, with low-cost product support available to production users that need reliable support.

Description

vtiger CRM suffers from a XSS vulnerability when parsing user input to the '_operation' and 'search' parameters via GET method in '/modules/mobile/index.php' script. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user's browser session.

Vendor

vTiger - <http://www.vtiger.com>

Affected Version

5.2.1

Tested On

Microsoft Windows XP Professional SP3 (EN)
Apache/2.0.52 (Win32)
PHP/5.2.6
MySQL 5.0.51b-community-nt-log

Vendor Status

[28.07.2011] Vulnerabilities discovered.
[28.07.2011] Initial contact with the vendor.
[29.07.2011] Vendor replies asking more details.
[29.07.2011] Sent details to vendor.
[01.08.2011] Requested status update from vendor.
[02.08.2011] Vendor investigates and confirms issues.
[02.08.2011] Asked vendor for patch release date.
[04.08.2011] No reply from vendor.
[05.08.2011] Asked vendor to specify patch release date.
[05.08.2011] Vendor plans to release the 5.3.0 RC by the end of the month.
[21.08.2011] Asked vendor for specific patch release date.
[22.08.2011] Vendor replies promising official release by mid September.
[14.09.2011] Asked vendor for update.
[14.09.2011] Vendor replies extending official release date.
[26.10.2011] Coordinated public security advisory released.

PoC

vtiger_xss.txt

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] <http://wiki.vtiger.com/index.php/Vtiger530:Release_Notes>
[2] <http://www.exploit-db.com/ghdb/3737/>
[3] <http://packetstormsecurity.org/files/106229>
[4] <http://securityreason.com/wlb_show/WLB-2011100099>
[5] <http://secunia.com/advisories/42304/>
[6] <http://www.securityfocus.com/bid/50364>
[7] <http://xforce.iss.net/xforce/xfdb/70983>

Changelog

[26.10.2011] - Initial release
[27.10.2011] - Added reference [7]

Contact

Zero Science Lab

Web: <http://www.zeroscience.mk>
e-mail: lab@zeroscience.mk

                                        
                                            
vtiger CRM 5.2.1 Multiple Remote Cross-Site Scripting Vulnerabilities


Vendor: vTiger
Product web page: http://www.vtiger.com
Affected version: 5.2.1

Summary: vtiger CRM is a free, full-featured, 100% Open Source CRM software
ideal for small and medium businesses, with low-cost product support available
to production users that need reliable support.

Desc: vtiger CRM suffers from a XSS vulnerability when parsing user input to
the '_operation' and 'search' parameters via GET method in '/modules/mobile/index.php'
script. Attackers can exploit this weakness to execute arbitrary HTML and script code
in a user's browser session.

Tested on: Microsoft Windows XP Professional SP3 (EN)
           Apache/2.0.52 (Win32)
           PHP/5.2.6
           MySQL 5.0.51b-community-nt-log


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Vendor status:

[28.07.2011] Vulnerabilities discovered.
[28.07.2011] Initial contact with the vendor.
[29.07.2011] Vendor replies asking more details.
[29.07.2011] Sent details to vendor.
[01.08.2011] Requested status update from vendor.
[02.08.2011] Vendor investigates and confirms issues.
[02.08.2011] Asked vendor for patch release date.
[04.08.2011] No reply from vendor.
[05.08.2011] Asked vendor to specify patch release date.
[05.08.2011] Vendor plans to release the 5.3.0 RC by the end of the month.
[21.08.2011] Asked vendor for specific patch release date.
[22.08.2011] Vendor replies promising official release by mid September.
[14.09.2011] Asked vendor for update.
[14.09.2011] Vendor replies extending official release date.
[26.10.2011] Coordinated public security advisory released.




Advisory ID: ZSL-2011-5052
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5052.php

Vendor: http://wiki.vtiger.com/index.php/Vtiger530:Release_Notes

GHDB: http://www.exploit-db.com/ghdb/3737/


28.07.2011

---


 Dork: intitle:"vtiger CRM 5 - Commercial Open Source CRM"

 http://localhost:8888/modules/mobile/index.php?_operation="&gt;&lt;script&gt;alert(1)&lt;/script&gt;
 http://localhost:8888/modules/mobile/index.php?_operation=listModuleRecords&module=Services&search="&gt;&lt;script&gt;alert(1)&lt;/script&gt;