[Vtigercrm-developers] vtiger CRM 5.4.0 - Security Patch Released in Live

Adam Heinz amh at metricwise.net
Tue Mar 26 15:04:27 GMT 2013 

I'm still working through the patch, but I think I see a bad hunk.  At
modules/Users/Authenticate.php:33, I
see vtlib_purify($_REQUEST['user_password']) being added back in.  I think
I remember this specifically causing problems for passwords with special
characters in them.


On Tue, Mar 26, 2013 at 10:46 AM, Adam Heinz <amh at metricwise.net> wrote:

> This isn't a patch, this is a zip file.  Unrolling the zip over top of a
> pristine vtiger 5.4.0 and moving some files around (ConfigEditor,
> MailManager and Tooltip modules) reveals that this zip appears to be the
> most recent two changesets from vtigercrm/branches/5.4.0 [1].  If you
> download the unified diff [2] from Trac and make some replacements, you
> should be able to patch [3] an installation.  YMMV; I had several patch
> errors due to modifications in our fork.
>
> [1]
> http://trac.vtiger.com/cgi-bin/trac.cgi/changeset?reponame=&new=13857%40vtigercrm%2Fbranches%2F5.4.0&old=13833%40vtigercrm%2Fbranches%2F5.4.0
> [2]
> http://trac.vtiger.com/cgi-bin/trac.cgi/changeset?format=diff&new=13857&old=13833&new_path=%2Fvtigercrm%2Fbranches%2F5.4.0&old_path=%2Fvtigercrm%2Fbranches%2F5.4.0
> [3] cat vtiger.patch | sed -f vtiger.sed | patch -p3
>
>
>
> On Tue, Mar 26, 2013 at 3:41 AM, Appu <apparao at vtiger.com> wrote:
>
>> Hi All,
>>
>> We released a security patch for 5.4.0 that fixes the following security
>> issues.
>>
>>    - Local File Inclusion
>>    - Local File Deletion
>>    - SQL Injection
>>    - PHP Code Injection
>>    - Cross site scripting
>>    - Arbitrary File Upload
>>    - Authentication Bypass vulnerabilities(SOAP API's)
>>
>> We would like to thank *Nick Freeman* from security-assessment.com and *
>> Egidio *for reporting these vulnerabilities.
>>
>> *Download Links* :
>>
>> https://www.vtiger.com/crm/open-source-downloads/ or
>>
>>
>> http://sourceforge.net/projects/vtigercrm/files/vtiger%20CRM%205.4.0/Core%20Product/VtigerCRM540_Security_Patch.zip
>>
>>
>> *Note:* We recommend taking a backup of your source directory before you
>> unpack the patch in the source directory.
>>
>> *  *
>> Thanks,
>> Apparao G
>>
>> *TEAM*
>>
>> *Connect with us on: *Website <http://vtiger.com/>* **I* Twitter<http://twitter.com/#%21/vtigercrm>
>> *I* Facebook<http://www.facebook.com/pages/vtiger/226866697333578?sk=wall>
>>  *I* Blog <http://blog.vtiger.com/>* I* Wiki<http://wiki.vtiger.com/index.php/Main_Page>
>>  *I *Forums  <http://forums.vtiger.com/>
>> **
>>
>> _______________________________________________
>> http://www.vtiger.com/
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20130326/f403998e/attachment.html>

More information about the vtigercrm-developers mailing list