[Vtigercrm-developers] Security Advisories

Allan Bush allan.bush+vtiger_dev at gmail.com
Mon Oct 16 10:14:51 PDT 2006


I love how the vtiger developers like to hand things off to "the team".

The vtiger developers have long since abandoned supporting 4.2.x.  I
seem to have become the 4.2 project manager (by being pretty much the
only developer).  Here's my take on vtiger security (in both 4.2 and
5.0), it's not kind so I've refrained from stating my views earlier
for fear of insulting someone, but here goes:

VtigerCRM is insecure.  There may be 3 insecurities listed on secunia,
but I bet I could exploit it in a hundred difference ways, given a
proper login.

It's an unfortunate situation, but it would take lot more work then I
can to give to fix the issues.  I'm content as long as you can't
exploit the program without logging in.  If anyone is willing to take
up this project and provide the required fixes, I'll be more then
happy to lend a hand and make sure that the required changes are
merged into the next 4.2 release, but I don't have the time to do this
entire project myself.


On 10/15/06, Gopal <gopals at vtiger.com> wrote:
>
>  Dear Team,
>
>  Please have a look at another security advisory for version 4.2.
>
> http://securitydot.net/xpl/exploits/vulnerabilities/articles/1639/exploit.html
>
>  As of now, solution offered by advisory is to migrate product to the
> version 5.
>
>  Thanks,
>  Gopal
>
>  Thanks,
>  Gopal
>
>  Philip wrote:
>
>  Hi Kim,
>
>  I have posted this as a ticket in trac, kindly refer the
> url for status
> http://secunia.com/advisories/21728/ ,
>  i'll be fixing this on vtigerCRM 5 GA only.
>
>  Can anybody volunter for vtigerCRM 4.2.x ? if it has not
> been fixed on that.
>
>  Philip
>
>
>  ---- On Thu, 07 Sep 2006 Kim Haverblad <kim at haverblad.se>
> wrote ----
>
>  Well, I posted the advisory info within this list
> the same day (060904)
>  it was issued by Secunia and so far no response
> from anyone on the list.
>
>  /Kim
>
>  Ken Lyle wrote:
>  > Another Secunia advisory has popped up:
>  > http://secunia.com/advisories/21728/
>  >
>  > Who is managing and addressing these?
>  >
>  > Ken
>  >
>  > 484-948-5706
>  > 866-OUT OF BOX
>  > (866-688-6326)
>  >
>  _______________________________________________
>  Get started with creating presentations online -
> http://zohoshow.com?vt
>  ________________________________
>
> _______________________________________________
> Get started with creating presentations online - http://zohoshow.com?vt
>
> _______________________________________________
> Reach hundreds of potential candidates - http://jobs.vtiger.com
>
>



More information about the vtigercrm-developers mailing list