[Vtigercrm-developers] V6 Security Issue
Juan Pablo Botero
juanpabloboterolopez at gmail.com
Tue Jul 23 16:39:31 UTC 2013
It seems this will persist in the new version of vtiger
2013/7/18 Juan Pablo Jaramillo Pineda <juanpablojp1 at gmail.com>
> Hi everyone,
>
> Although it has been fixed in the GUI, the vulnerability still exist. If I
> generate the next payload (e.g. OWASP ZAP) on a HTTP POST message I'll
> become Admin:
>
> value=on&field=is_admin&record=5&module=Users&action=SaveAjax (record=5 is
> mi user id)
>
> Even worse, I could eliminate the admin privileges to the user Admin
> changing the payload as follows (record=1 and value=off):
>
> value=off&field=is_admin&record=1&module=Users&action=SaveAjax
>
> In theory, I could change any data (field and value) on any user (record)
> unless the password.
>
>
> 2013/6/6 Appu <apparao at vtiger.com>
>
>> Danny,
>>
>> Thanks for reporting this issue. I have created a trac ticket.
>>
>> http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/7701
>>
>>
>>
>> Regards,
>> Apparao G
>>
>> *TEAM*
>>
>> *Connect with us on: *Website <http://vtiger.com/>* **I* Twitter<http://twitter.com/#%21/vtigercrm>
>> *I* Facebook<http://www.facebook.com/pages/vtiger/226866697333578?sk=wall>
>> *I* Blog <http://blog.vtiger.com/>* I* Wiki<http://wiki.vtiger.com/index.php/Main_Page>
>> *I *Forums <http://forums.vtiger.com/>
>> **
>>
>>
>> On Thu, Jun 6, 2013 at 2:15 PM, Daniel Thompson <
>> developingdanny at gmail.com> wrote:
>>
>>> Hi,
>>>
>>> Any user who is not an admin can change themselves to admin.
>>>
>>> This can be done by my preferences, detail mode, click on the no and
>>> check the box.
>>>
>>> Regards
>>>
>>> Danny
>>>
>>> _______________________________________________
>>> http://www.vtiger.com/
>>>
>>
>>
>> _______________________________________________
>> http://www.vtiger.com/
>>
>
>
>
> --
> Juan Pablo Jaramillo Pineda
> Estudiante Ingeniería en Sistemas y Computación
> Universidad de Caldas
> http://verlaciudad.com
>
> _______________________________________________
> http://www.vtiger.com/
>
--
Cordialmente:
Juan Pablo Botero
Administrador de Sistemas informáticos
Fedora Ambassador for Colombia
http://www.jpilldev.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20130723/891546d4/attachment-0001.html>
More information about the vtigercrm-developers
mailing list