[Vtigercrm-developers] V6 Security Issue
Juan Pablo Jaramillo Pineda
juanpablojp1 at gmail.com
Thu Jul 18 23:18:36 UTC 2013
Hi everyone,
Although it has been fixed in the GUI, the vulnerability still exist. If I
generate the next payload (e.g. OWASP ZAP) on a HTTP POST message I'll
become Admin:
value=on&field=is_admin&record=5&module=Users&action=SaveAjax (record=5 is
mi user id)
Even worse, I could eliminate the admin privileges to the user Admin
changing the payload as follows (record=1 and value=off):
value=off&field=is_admin&record=1&module=Users&action=SaveAjax
In theory, I could change any data (field and value) on any user (record)
unless the password.
2013/6/6 Appu <apparao at vtiger.com>
> Danny,
>
> Thanks for reporting this issue. I have created a trac ticket.
>
> http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/7701
>
>
>
> Regards,
> Apparao G
>
> *TEAM*
>
> *Connect with us on: *Website <http://vtiger.com/>* **I* Twitter<http://twitter.com/#%21/vtigercrm>
> *I* Facebook<http://www.facebook.com/pages/vtiger/226866697333578?sk=wall>
> *I* Blog <http://blog.vtiger.com/>* I* Wiki<http://wiki.vtiger.com/index.php/Main_Page>
> *I *Forums <http://forums.vtiger.com/>
> **
>
>
> On Thu, Jun 6, 2013 at 2:15 PM, Daniel Thompson <developingdanny at gmail.com
> > wrote:
>
>> Hi,
>>
>> Any user who is not an admin can change themselves to admin.
>>
>> This can be done by my preferences, detail mode, click on the no and
>> check the box.
>>
>> Regards
>>
>> Danny
>>
>> _______________________________________________
>> http://www.vtiger.com/
>>
>
>
> _______________________________________________
> http://www.vtiger.com/
>
--
Juan Pablo Jaramillo Pineda
Estudiante Ingeniería en Sistemas y Computación
Universidad de Caldas
http://verlaciudad.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20130718/a9be1229/attachment.html>
More information about the vtigercrm-developers
mailing list