[Vtigercrm-developers] V6 Security Issue
Doug
sailsfast at gmail.com
Tue Jul 23 17:21:12 UTC 2013
It is very troubling.
Don't know that will be the case though.
Haven't checked trac yet for it myself
On Jul 23, 2013 12:42 PM, "Juan Pablo Botero" <
juanpabloboterolopez at gmail.com> wrote:
> It seems this will persist in the new version of vtiger
>
>
> 2013/7/18 Juan Pablo Jaramillo Pineda <juanpablojp1 at gmail.com>
>
>> Hi everyone,
>>
>> Although it has been fixed in the GUI, the vulnerability still exist. If
>> I generate the next payload (e.g. OWASP ZAP) on a HTTP POST message I'll
>> become Admin:
>>
>> value=on&field=is_admin&record=5&module=Users&action=SaveAjax (record=5
>> is mi user id)
>>
>> Even worse, I could eliminate the admin privileges to the user Admin
>> changing the payload as follows (record=1 and value=off):
>>
>> value=off&field=is_admin&record=1&module=Users&action=SaveAjax
>>
>> In theory, I could change any data (field and value) on any user (record)
>> unless the password.
>>
>>
>> 2013/6/6 Appu <apparao at vtiger.com>
>>
>>> Danny,
>>>
>>> Thanks for reporting this issue. I have created a trac ticket.
>>>
>>> http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/7701
>>>
>>>
>>>
>>> Regards,
>>> Apparao G
>>>
>>> *TEAM*
>>>
>>> *Connect with us on: *Website <http://vtiger.com/>* **I* Twitter<http://twitter.com/#%21/vtigercrm>
>>> *I* Facebook<http://www.facebook.com/pages/vtiger/226866697333578?sk=wall>
>>> *I* Blog <http://blog.vtiger.com/>* I* Wiki<http://wiki.vtiger.com/index.php/Main_Page>
>>> *I *Forums <http://forums.vtiger.com/>
>>> **
>>>
>>>
>>> On Thu, Jun 6, 2013 at 2:15 PM, Daniel Thompson <
>>> developingdanny at gmail.com> wrote:
>>>
>>>> Hi,
>>>>
>>>> Any user who is not an admin can change themselves to admin.
>>>>
>>>> This can be done by my preferences, detail mode, click on the no and
>>>> check the box.
>>>>
>>>> Regards
>>>>
>>>> Danny
>>>>
>>>> _______________________________________________
>>>> http://www.vtiger.com/
>>>>
>>>
>>>
>>> _______________________________________________
>>> http://www.vtiger.com/
>>>
>>
>>
>>
>> --
>> Juan Pablo Jaramillo Pineda
>> Estudiante Ingeniería en Sistemas y Computación
>> Universidad de Caldas
>> http://verlaciudad.com
>>
>> _______________________________________________
>> http://www.vtiger.com/
>>
>
>
>
> --
> Cordialmente:
> Juan Pablo Botero
> Administrador de Sistemas informáticos
> Fedora Ambassador for Colombia
> http://www.jpilldev.net
>
> _______________________________________________
> http://www.vtiger.com/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20130723/f4b36634/attachment.html>
More information about the vtigercrm-developers
mailing list