[Vtigercrm-developers] New Vulnerability in vtiger CRM 4.2.4 -> Script Insertion and Administrative Modules Access
Kim Haverblad
kim at haverblad.se
Mon Sep 4 04:28:57 PDT 2006
New vulnerability has been posted by Ivan Markovic regarding Cross Site
Scripting, Security Bypass and Remote Command Execution.
Original advisory:
http://www.security-net.biz/adv/D3906a.txt
Secunia advisory:
http://secunia.com/advisories/21728/
Description:
Ivan Markovic has discovered some vulnerabilities in vtiger CRM, which
can be exploited by malicious people to conduct script insertion attacks
and bypass certain security restrictions.
1) Input passed to the "description" field in various modules when e.g.
creating a contact and the "solution" field when an administrator
modifies the solution in the HelpDesk modules isn't properly sanitised
before being used. This can be exploited to inject arbitrary HTML and
script code, which will be executed in a user's browser session in
context of an affected site when the malicious user data is viewed.
2) An error in the access control verification can be exploited by a
normal user to access administrative modules (e.g. the settings section)
by accessing certain URLs directly.
The vulnerabilities have been confirmed in version 4.2.4. Other versions
may also be affected.
Solution:
Edit the source code to ensure that input is properly sanitised and that
access to administrative modules are properly checked.
Use another product.
More information about the vtigercrm-developers
mailing list