[Vtigercrm-developers] [CRITICAL] possible code injection vulnerability
J Zakhar
john at tantor.com
Tue Jun 26 06:52:25 PDT 2007
Enrico Weigelt wrote:
> * Minnie <minnie at vtiger.com> schrieb:
>
> Hi,
>
>
>> when I try to give module=Leads and action=foo, I got the warning
>> message stating that
>> Warning: include(modules/Leads/foo.php) [function.include]: failed to open stream: No such file or directory in
>>
>
> The problem is: the name of the codefile to load is built from
> $_REQUEST{'module'} and $_REQUEST{'action'}. There are several
> ways to trick php with special characters. If including from
> URLs is enabled, we have an big fat code injection leak.
>
> cu
>
Granted I am by no means an expert, but one is that syntax even valid?
Should it not be $_REQUEST['var']; ?
Second, using that array, you have to form post to the page for the
variables in $_REQUEST/$_POST/$_GET to get filled.
With most modern versions of php, register globals is off by default..
I just tested it here and the original poster is correct, if you drop in
your own action you can get a remote code execution situation.
Yeah in the code we have
$action = '';
if(isset($_REQUEST['action']))
{
$action = $_REQUEST['action'];
}
and that is Bizarre the whole point of the $_REQUEST array was to stop
this kind of thing...
More information about the vtigercrm-developers
mailing list