[Vtigercrm-developers] [CRITICAL] possible code injection vulnerability
Enrico Weigelt
weigelt at metux.de
Mon Jun 25 07:11:34 PDT 2007
Hi folks,
while playing around w/ url parameters, I've found an probably
critical vulnerability:
The "action" parameter seems to go directly into the filename
for code loading (ie. "action=foo" ends up in trying to load
"foo.php" within the module's subdir) !
We should fix this ASAP.
cu
--
---------------------------------------------------------------------
Enrico Weigelt == metux IT service
phone: +49 36207 519931 www: http://www.metux.de/
fax: +49 36207 519932 email: contact at metux.de
cellphone: +49 174 7066481
---------------------------------------------------------------------
-- DSL ab 0 Euro. -- statische IP -- UUCP -- Hosting -- Webshops --
---------------------------------------------------------------------
More information about the vtigercrm-developers
mailing list