[Vtigercrm-developers] security issue with multiple vtigers on the same host
Alan Bell
alan.bell at libertus.co.uk
Wed Jan 13 14:15:13 GMT 2016
Hi
if you have multiple vtigers on one host then they all share the same
scope for the PHP session, which means if you have two vtigers
configured like this:
http://host/foo/index.php
username=admin, uid=1, password="foo"
http://host/bar/index.php
username=admin, uid=1, password="bar"
you can log in to foo, then switch your browser URL to go into the
vtiger called bar and you will be logged in with admin access without
knowing the password for that system. Works for any matching userid, but
we know that the admin user always matches so it is easy to demonstrate
with that.
This is because the includes/main/WebUI.php doesn't check the session
application unique id, so it doesn't validate that the session is for
the current vtiger
line 39 of includes/main/WebUI.php should be something like:
if ($userid &&
vglobal('application_unique_key')==$_SESSION['app_unique_key']) {
if some kind of single sign on between multiple instances is actually
the desired behavior then make the application unique id in the
config.inc.php match in both systems.
Alan.
More information about the vtigercrm-developers
mailing list