[Vtigercrm-developers] vTiger mulitple vulnerabilities
Aïssa
webmaster at vtigerfacile.com
Fri Sep 1 05:04:28 PDT 2006
About this security advise, have look to the origin
:http://www.hardened-php.net/advisory_232005.105.html
Disclosure Timeline:
16. September 2005 - Vendor informed.
10. October 2005 - Follow-up to vendor.
24. November 2005 - public disclosure
Recommendation:
Since there is currently no fixed version available, you should protect your
vTiger installation with the following measures:
1. Restrict access to vtigercrm*.log via .htaccess
2. Switch register_globals to Off.
3. Turn magic_quotes_gpc off.
4. Install the Hardening-Patch for PHP to disable %00 URL characters.
1. not resolved
Really easy to add a .htaccess "deny from all" on logs folder
Best regards,
Aïssa
Kim Haverblad a écrit :
> Sounds great that it's taken care of since vulnerability release date
> was 2005-11-24. So applause to Mike O'Loan for doing some checking.
>
> Bugtraq list also gave som hits on vtiger; seems to be the same
> vulnerability, but there are some comments as well regarding the log
> handling.
>
> http://search.securityfocus.com/swsearch?sbm=%2F&metaname=alldoc&query=vtiger&x=0&y=0
>
> Regards,
> Kim Haverblad
>
> Gopal wrote:
>
>> Dear Mike O'Loan,
>>
>> Thanks for notifying issues in some of the modules. We will ensure that
>> these issues are fixed immediately. If required we will release a patch
>> for v4.2.3 immediately.
>>
>> Regards,
>> Gopal
>> ---
>> S.S.G.Gopal
>> skype: sripadag
>> ph: +1 877 788 4437
>> blog: http://gopal.vtiger.com
>>
>>
>>
>>
>> ---- On Tue, 22 Aug 2006 *Mike O'Loan <mike.oloan at saucesoft.com>* wrote
>> ----
>>
>> The following files still have the same SQL injection vulnerability,
>> carried over from vTiger 4.2.3. Although these aren't a problem with
>> magic_quotes_gpc turned ON, it still needs to be fixed. It has been
>> fixed in other modules by putting the PearDatabase::quote() function
>> around any variable that needs to be placed in an SQL statement.
>>
>> Affected files:
>> modules\Faq\ListView.php
>> modules\HelpDesk\ListView.php
>> modules\Invoice\Popup.php
>> modules\Leads\ListView.php
>> modules\Leads\Popup.php
>> modules\Products\Popup.php
>>
>> Implementing this would reduce the SQL injection vulnerability for
>> vTiger 4.2.x
>>
>> --
>> Mike O'Loan
>> Chief Technical Officer
>> Sauce Software Pty Ltd
>>
>>
>> http://saucesoft.com
>> Phone: +61 1300 559 165
>> Fax: +61 7 3009 0442
>> Email: mike.oloan at saucesoft.com
>> <mailto:mike.oloan at saucesoft.com>
>> _______________________________________________
>> Get started with creating presentations online - http://zohoshow.com?vt
>>
>>
>>
>> __________ NOD32 1.1720 (20060822) Information __________
>>
>> This message was checked by NOD32 antivirus system.
>> http://www.eset.com
>>
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> Get started with creating presentations online - http://zohoshow.com?vt
>>
>> __________ NOD32 1.1720 (20060822) Information __________
>>
>> This message was checked by NOD32 antivirus system.
>> http://www.eset.com
>>
>>
> _______________________________________________
> Get started with creating presentations online - http://zohoshow.com?vt
>
More information about the vtigercrm-developers
mailing list