[Vtigercrm-developers] backdoor

Sreenivas Kanumuru svk at vtiger.com
Mon Mar 17 10:31:24 GMT 2014


>
>
> *Sreenivas, setup user at the bottom of roles tree and
> fire: www.yourdomain/yourcrm/index.php?module=Users&view=List
> <http://www.yourdomain/yourcrm/index.php?module=Users&view=List> ... and
> you will see list of all users :-)*


Yep, it does reveal the names of other users that have higher role as well
than the logged in user. We will include a fix for this when the next
security patch is released.

Regards,
Sreenivas

--
Sreenivas Kanumuru
vtiger Team

Direct: +91 96323-55656
Skype: skanumuru

*Connect with us on: *Twitter <http://twitter.com/#%21/vtigercrm> *I*
Facebook <http://www.facebook.com/pages/vtiger/226866697333578?sk=wall> *I*
Blog <http://blog.vtiger.com/>* I*
Wiki<http://wiki.vtiger.com/index.php/Main_Page>
 *I *Forums  <http://forums.vtiger.com/>*I* Website <http://vtiger.com/>


On Mon, Mar 17, 2014 at 3:54 PM, Sreenivas Kanumuru <svk at vtiger.com> wrote:

> Jonathan, i see your point. We have these choices currently in the Role -
> Assigned To Setting.
>
> 1 - All users
> 2 - Users with same role or subordinate role
> 3.- Users with subordinate role
>
> For options #2 and #3, we should only allow them to assign to groups that
> do not have any higher role members. We will fix this in next version.
>
> Regards,
>
> Sreenivas
>
>
> --
> Sreenivas Kanumuru
> vtiger Team
>
> Direct: +91 96323-55656
> Skype: skanumuru
>
> *Connect with us on: *Twitter <http://twitter.com/#%21/vtigercrm> *I*
> Facebook <http://www.facebook.com/pages/vtiger/226866697333578?sk=wall>
> *I* Blog <http://blog.vtiger.com/>* I* Wiki<http://wiki.vtiger.com/index.php/Main_Page>
>  *I *Forums  <http://forums.vtiger.com/>*I* Website <http://vtiger.com/>
>
>
> On Mon, Mar 17, 2014 at 3:35 PM, Jonathan Sardo <sardoj at gmail.com> wrote:
>
>> Sreenivas,
>>
>> It's true for users, but the problem exist with groups.
>> A user can assign data to all groups. I think it is a security hole.
>>
>> Regards,
>>
>> Jonathan SARDO
>> [image: Images intégrées 5]
>>
>>
>> 2014-03-17 10:57 GMT+01:00 Sreenivas Kanumuru <svk at vtiger.com>:
>>
>>>  In Vtiger 6, In Role Settings, for users with a given role, you can
>>> choose whether to show all users in Assigned To list or only users with
>>> same or below role.
>>>
>>> Regards,
>>> Sreenivas
>>>
>>>
>>>
>>> --
>>> Sreenivas Kanumuru
>>> vtiger Team
>>>
>>> Direct: +91 96323-55656
>>> Skype: skanumuru
>>>
>>> *Connect with us on: *Twitter <http://twitter.com/#%21/vtigercrm> *I*
>>> Facebook <http://www.facebook.com/pages/vtiger/226866697333578?sk=wall>
>>> *I* Blog <http://blog.vtiger.com/>* I* Wiki<http://wiki.vtiger.com/index.php/Main_Page>
>>>  *I *Forums  <http://forums.vtiger.com/>*I* Website <http://vtiger.com/>
>>>
>>>
>>> On Sun, Mar 16, 2014 at 5:27 PM, Siam Translations LLP <
>>> info at siam-translations.com> wrote:
>>>
>>>> User which cant assign anything to the parent users (Users having Same
>>>> Role or Subordinate Role)
>>>> Can anyway see all other users what might be not coveted in some
>>>> organizations  ... index.php?module=Users&view=List
>>>>
>>>> Regards
>>>> Andrew Smith
>>>> _______________________________________________
>>>> http://www.vtiger.com/
>>>>
>>>
>>>
>>> _______________________________________________
>>> http://www.vtiger.com/
>>>
>>
>>
>> _______________________________________________
>> http://www.vtiger.com/
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20140317/ec61c922/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 4223 bytes
Desc: not available
URL: <http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20140317/ec61c922/attachment-0001.png>


More information about the vtigercrm-developers mailing list