[Vtigercrm-developers] v5.4 documents question
Richard Hills
richard at tw.co.nz
Tue Mar 18 11:46:48 GMT 2014
I am assuming it is include/upload_file.php
Sorry for again asking before looking properly ;)
If anyone knows of patches which addressed such issues btw please let me
know, I did some googling and saw only patches which we had already applied.
On 19/03/14 00:27, Richard Hills wrote:
> Hi guys
>
> I have seen a live unmodified 5.4 install which we have running as a
> test for clients who want to see what vtiger can do end up with an
> injected script inside of a normal documents structure
> (/storage/year/month/week/filename.whatever).
>
> No entry was made to match this in the crmentity table or elsewhere so
> it seems some very large security hole.
>
> I'm just wondering if anyone can point me to the file which handles
> these file uploads so I can get hunting for whatever has allowed this
> to happen.
>
> Thank you
> _______________________________________________
> http://www.vtiger.com/
More information about the vtigercrm-developers
mailing list