[Vtigercrm-developers] V6 Security Issue
Juan Pablo Jaramillo Pineda
juanpablojp1 at gmail.com
Wed Jul 24 08:19:33 UTC 2013
I have created a new ticket:
http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/7714
2013/7/23 Doug <sailsfast at gmail.com>
> It is very troubling.
>
> Don't know that will be the case though.
>
> Haven't checked trac yet for it myself
> On Jul 23, 2013 12:42 PM, "Juan Pablo Botero" <
> juanpabloboterolopez at gmail.com> wrote:
>
>> It seems this will persist in the new version of vtiger
>>
>>
>> 2013/7/18 Juan Pablo Jaramillo Pineda <juanpablojp1 at gmail.com>
>>
>>> Hi everyone,
>>>
>>> Although it has been fixed in the GUI, the vulnerability still exist. If
>>> I generate the next payload (e.g. OWASP ZAP) on a HTTP POST message I'll
>>> become Admin:
>>>
>>> value=on&field=is_admin&record=5&module=Users&action=SaveAjax (record=5
>>> is mi user id)
>>>
>>> Even worse, I could eliminate the admin privileges to the user Admin
>>> changing the payload as follows (record=1 and value=off):
>>>
>>> value=off&field=is_admin&record=1&module=Users&action=SaveAjax
>>>
>>> In theory, I could change any data (field and value) on any user
>>> (record) unless the password.
>>>
>>>
>>> 2013/6/6 Appu <apparao at vtiger.com>
>>>
>>>> Danny,
>>>>
>>>> Thanks for reporting this issue. I have created a trac ticket.
>>>>
>>>> http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/7701
>>>>
>>>>
>>>>
>>>> Regards,
>>>> Apparao G
>>>>
>>>> *TEAM*
>>>>
>>>> *Connect with us on: *Website <http://vtiger.com/>* **I* Twitter<http://twitter.com/#%21/vtigercrm>
>>>> *I* Facebook<http://www.facebook.com/pages/vtiger/226866697333578?sk=wall>
>>>> *I* Blog <http://blog.vtiger.com/>* I* Wiki<http://wiki.vtiger.com/index.php/Main_Page>
>>>> *I *Forums <http://forums.vtiger.com/>
>>>> **
>>>>
>>>>
>>>> On Thu, Jun 6, 2013 at 2:15 PM, Daniel Thompson <
>>>> developingdanny at gmail.com> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> Any user who is not an admin can change themselves to admin.
>>>>>
>>>>> This can be done by my preferences, detail mode, click on the no and
>>>>> check the box.
>>>>>
>>>>> Regards
>>>>>
>>>>> Danny
>>>>>
>>>>> _______________________________________________
>>>>> http://www.vtiger.com/
>>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> http://www.vtiger.com/
>>>>
>>>
>>>
>>>
>>> --
>>> Juan Pablo Jaramillo Pineda
>>> Estudiante Ingeniería en Sistemas y Computación
>>> Universidad de Caldas
>>> http://verlaciudad.com
>>>
>>> _______________________________________________
>>> http://www.vtiger.com/
>>>
>>
>>
>>
>> --
>> Cordialmente:
>> Juan Pablo Botero
>> Administrador de Sistemas informáticos
>> Fedora Ambassador for Colombia
>> http://www.jpilldev.net
>>
>> _______________________________________________
>> http://www.vtiger.com/
>>
>
> _______________________________________________
> http://www.vtiger.com/
>
--
Juan Pablo Jaramillo Pineda
Estudiante Ingeniería en Sistemas y Computación
Universidad de Caldas
http://verlaciudad.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20130724/4dccb062/attachment.html>
More information about the vtigercrm-developers
mailing list