[Vtigercrm-developers] IMP: forgot password and re-installation security fix

Uma S uma.s at vtiger.com
Sun Mar 16 08:15:24 GMT 2014


Hi,

Please update us for these sort of vulnerability issues and we work closely
to get such issues resolved at most priority.

Regards
Uma S


On Sun, Mar 16, 2014 at 1:19 PM, Uma S <uma.s at vtiger.com> wrote:

>
> Thanks for Jonathan Security Architect from Navixia for reporting
> vulnerability in
> vtiger 6.0.
>
> *Summary:*
>
>    1. Request to Forgotpassword.php, by passing parameter username,
>    password, confirpassword. One can change the password of any user.
>    2. Ajax request to Index.php (modules/Install/views) with mode as
>    Step7, by passing authentication key can re-install the source. Where
>    authentication key can be gained in Step6 of installation in DOM.
>
> *Update:*
>
>    1. The fix devised to forgotpassword will look for secret hash value
>    with addition to username and password.
>    2. The fix devised to re-installation will check whether the source is
>    already installed, if so stop installation
>    3. Please find the changeset<http://trac.vtiger.com/cgi-bin/trac.cgi/changeset/14043>for both fix.
>
>
> *Download:*
> vtigercrm-600-security-patch2.zip (unzip into your existing vtiger 6
> source directory).
>
>
> --
> With
> Best Regards
> Uma.S
> Vtiger Team
>



-- 
With
Best Regards
Uma.S
Vtiger Team
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20140316/9150b449/attachment.html>


More information about the vtigercrm-developers mailing list