[Vtigercrm-developers] Potential Security Vulnerability

Brian Devendorf developer at infointegrated.com
Mon Feb 20 23:09:15 PST 2006 

I just created a ticket in Trac for a potential security  
vulnerability in vtiger: http://vtiger.fosslabs.com/cgi-bin/trac.cgi/ 
ticket/25
I also created a post in the forums as well: http://forums.vtiger.com/ 
viewtopic.php?t=5704

Here are the details:
I know that most good systems admins would delete the install  
directories (I always do), but we are likely to have quite a few of  
the "uninitiated admins" installing vtiger. I would hate to leave  
vtiger open for attack. The install docs do not mention removing the  
install directory either. A hack on a vtiger install would not look  
good if it received any kind of press. This worst case scenario would  
force my company to switch to offering a different product. I really  
don't want to do that.

Here are the contents of the ticket I submitted:
If the install directory stays on the server after installation, an  
informed individual could change the admin password without any  
trouble at all, they could also view the mysql database and username  
information. With the current change in the branch, they could also  
change the SQL database (readonly tags removed). If the files in the  
install directory are removed after install, this risk will not  
exist. I have a diff that adds simple deletion of the install  
directory after completion of Setup Step 5.

Here is the diff file I created for the branch:

Please feel free to implement a solution to this risk however you  
feel it should be. My diff above is a bare bones solution to the  
problem. It does work, but I'm sure it could be done better. This was  
just a solution I put together in a few minutes to address what I  
believe is a critical hole.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20060221/4acc63f5/attachment-0006.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: install_cleanup.patch
Type: application/octet-stream
Size: 1826 bytes
Desc: not available
Url : http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20060221/4acc63f5/attachment-0003.obj 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20060221/4acc63f5/attachment-0007.html

More information about the vtigercrm-developers mailing list