[Vtigercrm-developers] vtiger CRM 5.0.4 Security Patch Release

Torsten Zenk tzenk at gmx.net
Thu Nov 13 22:54:38 PST 2008 

Hi everybody,
be aware that with this security patch you override some modifications 
made to root files. I just experienced  an error after applying the sec 
patch with the only plugin that i have installed, the vical1.1 plugin.
So i don´t know if this is an issue with other plugins.
The export .ics file gets printed out within the browser instead of 
being putted out as a downloadable vtiger-calendar.zip
Doing a diff between the involved files showed me that these changes 
have to be made if you already have the vical plugin installed andf then 
apply the sceurity patch.
The changes have to be made to 1 file out of those who come with 
vical1.1.zip:

-----------------------------------------
in index.php (vTiger 5.04 + vical, no sec patch) these lines are not 
there anymore in the new index.php after applying the security patch so 
these code changes have to be made manually:

304 +    ereg("^iCalExport",$action) ||
331 +    ereg("^iCalExport",$action) ||
338 -     if(ereg("^downloadfile", $action) || 
ereg("^fieldtypes",$action) || ereg("^mailmergedownloadfile",$action)|| 
ereg("^get_img",$action))
338 +    if(ereg("^iCalExport", $action) || ereg("^downloadfile", 
$action) || ereg("^fieldtypes",$action) || 
ereg("^mailmergedownloadfile",$action)|| ereg("^get_img",$action))

----------------------------------------

I guess this procedure has to be done with every single plugin that was 
added BEFORE the security patch?

Is there something like a "general" way to apply vTiger ROOT patches 
(like this one) without destroying the plugin modifications or is the 
only way to apply the patch to do the manual changes on every single 
file that was realesed with the sec patch?

Best Regards
Torsten Zenk



Prasad schrieb:
> Dear vtigers,
>
> We have released a security patch for 5.0.4 that fixes the following
> security issues along with some critical bugs reported by the community.
>
> More details can be found in the release notes [VtigerCRM 5.0.4
> SecurityPatch_ReleaseNotes<http://www.vtiger.com/products/crm/vtigercrm-504-Security-Patch-Release-Notes.pdf>
> ].
>
> Security Issues:-
> 1. Local File Disclosure
> 2. Cross-Site Scripting
> 3. SQL injection Vulnerability
> 4. Arbitrary File Upload
>
> Trac Tickets:-
> #5235 <http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/5235>: Patch Apply:
> Timeout settings need change
> #5255 <http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/5255>: Cannot import
> more than 500 records
> #5307: <http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/5307> Campaign
> Related info getting lost
> #5298 <http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/5298>: File attachment
> download gets corrupted
> #5294 <http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/5294>: Organization
> image upload issue
> # <http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/5231>5231<http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/5231>:
> Webmail qualify issue
> # <http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/5268>5268<http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/5268>:
> Homepage dashboard link showing incorrect data in list view
> #4847 <http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/4847>: Problem in
> selecting users/groups/profiles from the roles and groups edit view
> #5393 <http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/5393>: Not able to
> delete default profiles/roles/users
>
> We thank vtiger community for their support to detect the issues and help us
> resolve it. Special thanks to Mark Piper, Fabian Fingerele, and Different
> Solutions.
>
> *Patch Download:*
> The 5.0.4 Security patch download is available here: [
> VtigerCRM5.0.4_SecurityPatch<http://downloads.sourceforge.net/vtigercrm/VtigerCRM504_Security_Patch.zip>
> ]
>
> *NOTE:* You will need to unpack the zip into your vtiger CRM folder. We
> recommend you to take a backup of your directory first before you unpack the
> patch.
> Regards,
> Prasad
> vtiger Team
>
>   
> ------------------------------------------------------------------------
>
> _______________________________________________
> Reach hundreds of potential candidates - http://jobs.vtiger.com 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20081114/14657e03/attachment-0003.html

More information about the vtigercrm-developers mailing list