[Vtigercrm-developers] vtiger CRM 5.4.0 - Security Patch Released in Live

Adam Heinz amh at metricwise.net
Tue Mar 26 15:19:20 GMT 2013 

I should also say -- thanks for the security update!


On Tue, Mar 26, 2013 at 11:04 AM, Adam Heinz <amh at metricwise.net> wrote:

> I'm still working through the patch, but I think I see a bad hunk.  At
> modules/Users/Authenticate.php:33, I
> see vtlib_purify($_REQUEST['user_password']) being added back in.  I think
> I remember this specifically causing problems for passwords with special
> characters in them.
>
>
> On Tue, Mar 26, 2013 at 10:46 AM, Adam Heinz <amh at metricwise.net> wrote:
>
>> This isn't a patch, this is a zip file.  Unrolling the zip over top of a
>> pristine vtiger 5.4.0 and moving some files around (ConfigEditor,
>> MailManager and Tooltip modules) reveals that this zip appears to be the
>> most recent two changesets from vtigercrm/branches/5.4.0 [1].  If you
>> download the unified diff [2] from Trac and make some replacements, you
>> should be able to patch [3] an installation.  YMMV; I had several patch
>> errors due to modifications in our fork.
>>
>> [1]
>> http://trac.vtiger.com/cgi-bin/trac.cgi/changeset?reponame=&new=13857%40vtigercrm%2Fbranches%2F5.4.0&old=13833%40vtigercrm%2Fbranches%2F5.4.0
>> [2]
>> http://trac.vtiger.com/cgi-bin/trac.cgi/changeset?format=diff&new=13857&old=13833&new_path=%2Fvtigercrm%2Fbranches%2F5.4.0&old_path=%2Fvtigercrm%2Fbranches%2F5.4.0
>> [3] cat vtiger.patch | sed -f vtiger.sed | patch -p3
>>
>>
>>
>> On Tue, Mar 26, 2013 at 3:41 AM, Appu <apparao at vtiger.com> wrote:
>>
>>> Hi All,
>>>
>>> We released a security patch for 5.4.0 that fixes the following security
>>> issues.
>>>
>>>    - Local File Inclusion
>>>    - Local File Deletion
>>>    - SQL Injection
>>>    - PHP Code Injection
>>>    - Cross site scripting
>>>    - Arbitrary File Upload
>>>    - Authentication Bypass vulnerabilities(SOAP API's)
>>>
>>> We would like to thank *Nick Freeman* from security-assessment.com and *
>>> Egidio *for reporting these vulnerabilities.
>>>
>>> *Download Links* :
>>>
>>> https://www.vtiger.com/crm/open-source-downloads/ or
>>>
>>>
>>> http://sourceforge.net/projects/vtigercrm/files/vtiger%20CRM%205.4.0/Core%20Product/VtigerCRM540_Security_Patch.zip
>>>
>>>
>>> *Note:* We recommend taking a backup of your source directory before
>>> you unpack the patch in the source directory.
>>>
>>> *  *
>>> Thanks,
>>> Apparao G
>>>
>>> *TEAM*
>>>
>>> *Connect with us on: *Website <http://vtiger.com/>* **I* Twitter<http://twitter.com/#%21/vtigercrm>
>>> *I* Facebook<http://www.facebook.com/pages/vtiger/226866697333578?sk=wall>
>>>  *I* Blog <http://blog.vtiger.com/>* I* Wiki<http://wiki.vtiger.com/index.php/Main_Page>
>>>  *I *Forums  <http://forums.vtiger.com/>
>>> **
>>>
>>> _______________________________________________
>>> http://www.vtiger.com/
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20130326/7b5f2ae4/attachment-0001.html>

More information about the vtigercrm-developers mailing list