[Vtigercrm-developers] IMP: forgot password and re-installation security fix
Uma S
uma.s at vtiger.com
Sun Mar 16 08:15:24 GMT 2014
Hi,
Please update us for these sort of vulnerability issues and we work closely
to get such issues resolved at most priority.
Regards
Uma S
On Sun, Mar 16, 2014 at 1:19 PM, Uma S <uma.s at vtiger.com> wrote:
>
> Thanks for Jonathan Security Architect from Navixia for reporting
> vulnerability in
> vtiger 6.0.
>
> *Summary:*
>
> 1. Request to Forgotpassword.php, by passing parameter username,
> password, confirpassword. One can change the password of any user.
> 2. Ajax request to Index.php (modules/Install/views) with mode as
> Step7, by passing authentication key can re-install the source. Where
> authentication key can be gained in Step6 of installation in DOM.
>
> *Update:*
>
> 1. The fix devised to forgotpassword will look for secret hash value
> with addition to username and password.
> 2. The fix devised to re-installation will check whether the source is
> already installed, if so stop installation
> 3. Please find the changeset<http://trac.vtiger.com/cgi-bin/trac.cgi/changeset/14043>for both fix.
>
>
> *Download:*
> vtigercrm-600-security-patch2.zip (unzip into your existing vtiger 6
> source directory).
>
>
> --
> With
> Best Regards
> Uma.S
> Vtiger Team
>
--
With
Best Regards
Uma.S
Vtiger Team
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20140316/9150b449/attachment.html>
More information about the vtigercrm-developers
mailing list