[Vtigercrm-developers] Fwd: [SA21728] vtiger CRM Multiple Vulnerabilities

Wed Oct 11 17:11:00 PDT 2006

There's a new highly critical advisory from Secunia about script insertion,
etc. This seems to be an upgrade of the one posted on Sep 4.

Mike O'Loan

---------- Forwarded message ----------
From: Secunia < advisories at secunia.com>
Date: Oct 12, 2006 2:21 AM
Subject: [SA21728] vtiger CRM Multiple Vulnerabilities
To: secunia at saucesoft.com

TITLE:
vtiger CRM Multiple Vulnerabilities

SECUNIA ADVISORY ID:
SA21728

VERIFY ADVISORY:
https://ca.secunia.com/?page=viewadvisory&vuln_id=21728

CRITICAL:
Highly critical

IMPACT:
Security Bypass, Cross Site Scripting, System access

WHERE:
>From remote

REVISION:
2.0 originally posted 2006-09-04

SOFTWARE:
vtiger CRM 4.x
http://secunia.com/product/6211/

DESCRIPTION:
Some vulnerabilities have been discovered in vtiger CRM, which can be
exploited by malicious people to conduct script insertion attacks,
bypass certain security restrictions, and to compromise a vulnerable
system.

1) Input passed to the "description" field in various modules when
e.g. creating a contact and the "solution" field when an
administrator modifies the solution in the HelpDesk modules isn't
properly sanitised before being used. This can be exploited to inject
arbitrary HTML and script code, which will be executed in a user's
browser session in context of an affected site when the malicious
user data is viewed.

2) An error in the access control verification can be exploited by a
normal user to access administrative modules (e.g. the settings
section) by accessing certain URLs directly.

3) Input passed to the "calpath" parameter in
modules/Calendar/admin/update.php is not properly verified before
being used to include files. This can be exploited to execute
arbitrary PHP code by including files from local or external
resources.

The vulnerabilities have been confirmed in version 4.2.4. Other
versions may also be affected.

SOLUTION:
Edit the source code to ensure that input is properly sanitised and
verified, and that access to administrative modules are properly
checked.

Use another product.

PROVIDED AND/OR DISCOVERED BY:
1,2) Ivan Markovic
3) Dedi Dwianto

CHANGELOG:
2006-09-07: Added CVE references.
2006-09-18: Added CVE reference.
2006-10-11: Updated "Title", "Description", and "Solution" section.
Added additional vulnerability provided by Dedi Dwianto. Updated
"Criticality".

ORIGINAL ADVISORY:
1,2) http://www.security-net.biz/adv/D3906a.txt

3) http://advisories.echo.or.id/adv/adv54-theday-2006.txt

----------------------------------------------------------------------

Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.

Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/

<mike.oloan at saucesoft.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20061012/7c9d9b30/attachment-0004.html 