[Vtigercrm-developers] New Vulnerability in vtiger CRM 4.2.4 ->

Gopal gopals at vtiger.com
Tue Sep 5 00:58:39 PDT 2006


Dear Kim Haverblad,

My sincere apologies for posting reply to another thread. 

It is a mistake on my part. 

Regards,
Gopal
---
S.S.G.Gopal
skype: sripadag
ph: +1 877 788 4437
blog: http://gopal.vtiger.com




---- On Mon, 04 Sep 2006 Kim Haverblad <kim at haverblad.se> wrote ---- 

New vulnerability has been posted by Ivan Markovic regarding Cross Site
Scripting, Security Bypass and Remote Command Execution.

Original advisory:
http://www.security-net.biz/adv/D3906a.txt

Secunia advisory:
http://secunia.com/advisories/21728/

Description:
Ivan Markovic has discovered some vulnerabilities in vtiger CRM, which
can be exploited by malicious people to conduct script insertion attacks
and bypass certain security restrictions.

1) Input passed to the "description" field in various modules when e.g.
creating a contact and the "solution" field when an administrator
modifies the solution in the HelpDesk modules isn't properly sanitised
before being used. This can be exploited to inject arbitrary HTML and
script code, which will be executed in a user's browser session in
context of an affected site when the malicious user data is viewed.

2) An error in the access control verification can be exploited by a
normal user to access administrative modules (e.g. the settings section)
by accessing certain URLs directly.

The vulnerabilities have been confirmed in version 4.2.4. Other versions
may also be affected.

Solution:
Edit the source code to ensure that input is properly sanitised and that
access to administrative modules are properly checked.

Use another product.
_______________________________________________
Get started with creating presentations online - http://zohoshow.com?vt
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20060905/7869fafd/attachment-0004.html 


More information about the vtigercrm-developers mailing list