[Vtigercrm-developers] SOAP vulnerability

Prasad prasad at vtiger.com
Thu Jan 16 10:38:26 GMT 2014 

The exploit explained cannot succeed if the soap-session is not active
through outlook plugin (older versions). I have devised fix to handle the
filename being upload - http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/7903

Please review.

Regards,
Prasad



*Connect with us on: *Twitter <http://twitter.com/vtigercrm> *I*
Facebook<http://www.facebook.com/pages/vtiger/226866697333578?sk=wall>
 *I* Blog <https://blogs.vtiger.com/>* I*
Wiki<http://wiki.vtiger.com/index.php/Main_Page>
 *I *Forums  <https://discussions.vtiger.com>*I*
Website<https://www.vtiger.com/>


On Thu, Jan 16, 2014 at 2:37 PM, Pabiszczak, Błażej <
b.pabiszczak at opensaas.pl> wrote:

> and 6.0 too.
>
>
> Z poważaniem / Regards
> Błażej Pabiszczak
> M: +48.884999123
> E: b.pabiszczak at opensaas.pl
>
>
> 2014/1/16 Joe Bordes <joe at tsolucio.com>
>
>>  Is that also true for 5.4?
>>
>>
>>
>> On 16/01/14 09:48, Prasad wrote:
>>
>> Removing vtigerolservice.php should solve the issue - as Vtiger Outlook
>> Plugin no longer require this entry point.
>>
>>  Regards,
>> Prasad
>>
>> *Connect with us on: *Twitter <http://twitter.com/vtigercrm> *I* Facebook<http://www.facebook.com/pages/vtiger/226866697333578?sk=wall>
>>  *I* Blog <https://blogs.vtiger.com/>* I* Wiki<http://wiki.vtiger.com/index.php/Main_Page>
>>  *I *Forums  <https://discussions.vtiger.com>*I* Website<https://www.vtiger.com/>
>>
>>
>> On Thu, Jan 16, 2014 at 12:04 AM, Joe Bordes <joe at tsolucio.com> wrote:
>>
>>> I see that the security patch released a few months ago seems to attend
>>> this vulnerability although I'm not totally sure. Can somebody in vtiger
>>> please confirm that the solution is in that patch, please?
>>>
>>>
>>> El 15/01/14 18:17, Joe Bordes escribió:
>>>
>>>  Hi
>>>>
>>>> Frank Piepiorra from CRMNOW just announced this on the forum:
>>>>
>>>> http://www.exploit-db.com/exploits/30787/
>>>>
>>>> https://discussions.vtiger.com/index.php?p=/discussion/169458/vtiger-security-alert-for-soap
>>>>
>>>>
>>>> Joe
>>>> TSolucio
>>>>
>>>> _______________________________________________
>>>> http://www.vtiger.com/
>>>>
>>>
>>>  _______________________________________________
>>> http://www.vtiger.com/
>>>
>>
>>
>>
>> _______________________________________________http://www.vtiger.com/
>>
>>
>>
>> --
>> Un saludo
>> Joe
>> TSolucio
>>
>>
>> _______________________________________________
>> http://www.vtiger.com/
>>
>
>
> _______________________________________________
> http://www.vtiger.com/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20140116/dce308be/attachment-0001.html>

More information about the vtigercrm-developers mailing list