[Vtigercrm-developers] IMP: forgot password and re-installation security fix
Uma S
uma.s at vtiger.com
Sun Mar 16 07:49:08 GMT 2014
Thanks for Jonathan Security Architect from Navixia for reporting
vulnerability in
vtiger 6.0.
*Summary:*
1. Request to Forgotpassword.php, by passing parameter username,
password, confirpassword. One can change the password of any user.
2. Ajax request to Index.php (modules/Install/views) with mode as Step7,
by passing authentication key can re-install the source. Where
authentication key can be gained in Step6 of installation in DOM.
*Update:*
1. The fix devised to forgotpassword will look for secret hash value
with addition to username and password.
2. The fix devised to re-installation will check whether the source is
already installed, if so stop installation
3. Please find the
changeset<http://trac.vtiger.com/cgi-bin/trac.cgi/changeset/14043>for
both fix.
*Download:*
vtigercrm-600-security-patch2.zip (unzip into your existing vtiger 6 source
directory).
--
With
Best Regards
Uma.S
Vtiger Team
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20140316/52a5c04e/attachment.html>
More information about the vtigercrm-developers
mailing list