[Vtigercrm-developers] vTiger mulitple vulnerabilities

Kim Haverblad kim at haverblad.se
Wed Aug 23 00:35:10 PDT 2006


Sounds great that it's taken care of since vulnerability release date
was 2005-11-24. So applause to Mike O'Loan for doing some checking.

Bugtraq list also gave som hits on vtiger; seems to be the same
vulnerability, but there are some comments as well regarding the log
handling.

http://search.securityfocus.com/swsearch?sbm=%2F&metaname=alldoc&query=vtiger&x=0&y=0

Regards,
Kim Haverblad

Gopal wrote:
> Dear Mike O'Loan,
> 
> Thanks for notifying issues in some of the modules. We will ensure that
> these issues are fixed immediately. If required we will release a patch
> for v4.2.3 immediately.
> 
> Regards,
> Gopal
> ---
> S.S.G.Gopal
> skype: sripadag
> ph: +1 877 788 4437
> blog: http://gopal.vtiger.com
> 
> 
> 
> 
> ---- On Tue, 22 Aug 2006 *Mike O'Loan <mike.oloan at saucesoft.com>* wrote
> ----
> 
>     The following files still have the same SQL injection vulnerability,
>     carried over from vTiger 4.2.3. Although these aren't a problem with
>     magic_quotes_gpc turned ON, it still needs to be fixed. It has been
>     fixed in other modules by putting the PearDatabase::quote() function
>     around any variable that needs to be placed in an SQL statement.
> 
>     Affected files:
>     modules\Faq\ListView.php
>     modules\HelpDesk\ListView.php
>     modules\Invoice\Popup.php
>     modules\Leads\ListView.php
>     modules\Leads\Popup.php
>     modules\Products\Popup.php
> 
>     Implementing this would reduce the SQL injection vulnerability for
>     vTiger 4.2.x
> 
>     -- 
>     Mike O'Loan
>     Chief Technical Officer
>     Sauce Software Pty Ltd
> 
> 
>          http://saucesoft.com
>          Phone: +61 1300 559 165
>          Fax: +61 7 3009 0442
>          Email: mike.oloan at saucesoft.com
>     <mailto:mike.oloan at saucesoft.com>
>     _______________________________________________
>     Get started with creating presentations online - http://zohoshow.com?vt
> 
> 
> 
> __________ NOD32 1.1720 (20060822) Information __________
> 
> This message was checked by NOD32 antivirus system.
> http://www.eset.com
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Get started with creating presentations online - http://zohoshow.com?vt 
> 
> __________ NOD32 1.1720 (20060822) Information __________
> 
> This message was checked by NOD32 antivirus system.
> http://www.eset.com
> 



More information about the vtigercrm-developers mailing list