[Vtigercrm-developers] New Vulnerability in vtiger CRM 4.2.4 -> Script Insertion and Administrative Modules Access

Kim Haverblad kim at haverblad.se
Thu Sep 28 10:14:12 PDT 2006


Just wondering, but what is status on this vulnerability?

/Kim

Kim Haverblad wrote:
> New vulnerability has been posted by Ivan Markovic regarding Cross Site
> Scripting, Security Bypass and Remote Command Execution.
> 
> Original advisory:
> http://www.security-net.biz/adv/D3906a.txt
> 
> Secunia advisory:
> http://secunia.com/advisories/21728/
> 
> Description:
> Ivan Markovic has discovered some vulnerabilities in vtiger CRM, which
> can be exploited by malicious people to conduct script insertion attacks
> and bypass certain security restrictions.
> 
> 1) Input passed to the "description" field in various modules when e.g.
> creating a contact and the "solution" field when an administrator
> modifies the solution in the HelpDesk modules isn't properly sanitised
> before being used. This can be exploited to inject arbitrary HTML and
> script code, which will be executed in a user's browser session in
> context of an affected site when the malicious user data is viewed.
> 
> 2) An error in the access control verification can be exploited by a
> normal user to access administrative modules (e.g. the settings section)
> by accessing certain URLs directly.
> 
> The vulnerabilities have been confirmed in version 4.2.4. Other versions
> may also be affected.
> 
> Solution:
> Edit the source code to ensure that input is properly sanitised and that
> access to administrative modules are properly checked.
> 
> Use another product.
> _______________________________________________
> Get started with creating presentations online - http://zohoshow.com?vt 
> 
> __________ NOD32 1.1738 (20060904) Information __________
> 
> This message was checked by NOD32 antivirus system.
> http://www.eset.com
> 
> 
> 



More information about the vtigercrm-developers mailing list