[Vtigercrm-developers] v5.4 documents question
Uma S
uma.s at vtiger.com
Tue Mar 18 12:01:32 GMT 2014
Hi Richard,
No entry was made to match this in the crmentity table or elsewhere so it
seems some very large security hole.
1. Every file that's uploaded to crm will have entry in vtiger_attachments
table.
2. Record to attachment relation is saved in vtiger_seattachmentsrel
table.
3. In documents module,data is pushed into this table by
api uploadAndSaveFile in CRMEntity.php(data/CRMEntity.php)
On Tue, Mar 18, 2014 at 4:57 PM, Richard Hills <richard at tw.co.nz> wrote:
> Hi guys
>
> I have seen a live unmodified 5.4 install which we have running as a test
> for clients who want to see what vtiger can do end up with an injected
> script inside of a normal documents structure (/storage/year/month/week/
> filename.whatever).
>
> No entry was made to match this in the crmentity table or elsewhere so it
> seems some very large security hole.
>
> I'm just wondering if anyone can point me to the file which handles these
> file uploads so I can get hunting for whatever has allowed this to happen.
>
> Thank you
> _______________________________________________
> http://www.vtiger.com/
>
--
With
Best Regards
Uma.S
Vtiger Team
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20140318/0607c48b/attachment.html>
More information about the vtigercrm-developers
mailing list