[Vtigercrm-developers] v5.4 documents question
Richard Hills
richard at tw.co.nz
Wed Mar 19 05:03:18 GMT 2014
Thanks Uma
I am yet to look at this (will finally investigate tomorrow) however I
can confirm that there was no entry in vtiger_attachments so this was
not uploaded through the usual methods.
On 19/03/14 01:01, Uma S wrote:
> Hi Richard,
>
> No entry was made to match this in the crmentity table or elsewhere so
> it seems some very large security hole.
>
> 1. Every file that's uploaded to crm will have entry in
> vtiger_attachments table.
> 2. Record to attachment relation is saved in vtiger_seattachmentsrel
> table.
> 3. In documents module,data is pushed into this table by
> api uploadAndSaveFile in CRMEntity.php(data/CRMEntity.php)
>
>
>
> On Tue, Mar 18, 2014 at 4:57 PM, Richard Hills <richard at tw.co.nz
> <mailto:richard at tw.co.nz>> wrote:
>
> Hi guys
>
> I have seen a live unmodified 5.4 install which we have running as
> a test for clients who want to see what vtiger can do end up with
> an injected script inside of a normal documents structure
> (/storage/year/month/week/filename.whatever).
>
> No entry was made to match this in the crmentity table or
> elsewhere so it seems some very large security hole.
>
> I'm just wondering if anyone can point me to the file which
> handles these file uploads so I can get hunting for whatever has
> allowed this to happen.
>
> Thank you
> _______________________________________________
> http://www.vtiger.com/
>
>
>
>
> --
> With
> Best Regards
> Uma.S
> Vtiger Team
>
>
> _______________________________________________
> http://www.vtiger.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20140319/a10f5755/attachment.html>
More information about the vtigercrm-developers
mailing list