[Vtigercrm-developers] Security

Pabiszczak, Błażej b.pabiszczak at opensaas.pl
Tue Sep 30 07:45:08 GMT 2014 

Where can I find a complete list with all XSS errors? If it's not public,
could you send it to my email address?

You can change any records from pricebook module


Please edit pricebook record change manually recordid to other (e.g. some
account) and save.

Is this done without user authentication.


We have been testing it as a logged in user. A user cannot upload pictures
from outside for security reasons.

You can send us the list.


I can send you some acunetix report.

Z poważaniem / Regards
Błażej Pabiszczak
M: +48.884999123
E: b.pabiszczak at opensaas.pl

2014-09-30 6:03 GMT+02:00 Prasad <prasad at vtiger.com>:

> Błażej,
>
> There are few areas where XSS has been noted and we are working to fix
> them.
>
> Evaluating XSS like in CMS is not appropriate is my personal opinion.
> Please let us know if unauthenticated user / non-CRM user can make such
> injections.
>
> 3. You can change any records from pricebook module
>
> Please clarify.
>
> 4. You can put any html in notepad (e.g. external image)
>
> Is this done without user authentication.
>
> 5. and many others
>
> You can send us the list.
>
> We will continue to weed them out. Thank you for letting us know again.
>
> Regards,
> Prasad
>
> *Connect with us on: *Twitter <http://twitter.com/vtigercrm> *I* Facebook
> <http://www.facebook.com/pages/vtiger/226866697333578?sk=wall> *I* Blog
> <https://blogs.vtiger.com/>* I* Wiki
> <http://wiki.vtiger.com/index.php/Main_Page> *I *Forums
> <https://discussions.vtiger.com>*I* Website <https://www.vtiger.com/>
>
> On Mon, Sep 29, 2014 at 10:29 PM, Pabiszczak, Błażej <
> b.pabiszczak at opensaas.pl> wrote:
>
>>
>>    1. XSS in Cloud Tag (e.g.: a<script>alert(123)</script>b a)
>>    2. Ignor limit the number of characters:
>>     c<script>alert(document.cookie)</script>d
>>       - You can view sessionid,
>>       - you can put img from external address
>>       - etc.
>>    3. You can change any records from pricebook module.
>>    4. You can put any html in notepad (e.g. external image)
>>    5. and many others
>>
>> do you test systems? Do you use tools like Accunetix?
>>
>> Z poważaniem / Regards
>> Błażej Pabiszczak
>> M: +48.884999123
>> E: b.pabiszczak at opensaas.pl
>>
>> _______________________________________________
>> http://www.vtiger.com/
>>
>
>
> _______________________________________________
> http://www.vtiger.com/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20140930/6e3eed7b/attachment.html>

More information about the vtigercrm-developers mailing list