There's a new highly critical advisory from Secunia about script insertion, etc. This seems to be an upgrade of the one posted on Sep 4.<br><br>Mike O'Loan<br><br>---------- Forwarded message ----------<br><span class="gmail_quote">
From: <b class="gmail_sendername">Secunia</b> <<a href="mailto:advisories@secunia.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
advisories@secunia.com</a>><br>Date: Oct 12, 2006 2:21 AM<br>Subject: [SA21728] vtiger CRM Multiple Vulnerabilities<br>To: <a href="mailto:secunia@saucesoft.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
secunia@saucesoft.com</a><br><br></span><br>TITLE:<br>vtiger CRM Multiple Vulnerabilities
<br><br>SECUNIA ADVISORY ID:<br>SA21728<br><br>VERIFY ADVISORY:<br><a href="https://ca.secunia.com/?page=viewadvisory&vuln_id=21728" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">https://ca.secunia.com/?page=viewadvisory&vuln_id=21728
</a><br><br>CRITICAL:<br>
Highly critical<br><br>IMPACT:<br>Security Bypass, Cross Site Scripting, System access<br><br>WHERE:<br>From remote<br><br>REVISION:<br>2.0 originally posted 2006-09-04<br><br>SOFTWARE:<br>vtiger CRM 4.x<br><a href="http://secunia.com/product/6211/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
http://secunia.com/product/6211/</a><br><br>DESCRIPTION:<br>Some vulnerabilities have been discovered in vtiger CRM, which can be<br>exploited by malicious people to conduct script insertion attacks,<br>bypass certain security restrictions, and to compromise a vulnerable
<br>system.<br><br>1) Input passed to the "description" field in various modules when<br>e.g. creating a contact and the "solution" field when an<br>administrator modifies the solution in the HelpDesk modules isn't
<br>properly sanitised before being used. This can be exploited to inject<br>arbitrary HTML and script code, which will be executed in a user's<br>browser session in context of an affected site when the malicious<br>user data is viewed.
<br><br>2) An error in the access control verification can be exploited by a<br>normal user to access administrative modules (e.g. the settings<br>section) by accessing certain URLs directly.<br><br>3) Input passed to the "calpath" parameter in
<br>modules/Calendar/admin/update.php is not properly verified before<br>being used to include files. This can be exploited to execute<br>arbitrary PHP code by including files from local or external<br>resources.<br><br>
The vulnerabilities have been confirmed in version
4.2.4. Other<br>versions may also be affected.<br><br>SOLUTION:<br>Edit the source code to ensure that input is properly sanitised and<br>verified, and that access to administrative modules are properly<br>checked.<br><br>
Use another product.<br><br>PROVIDED AND/OR DISCOVERED BY:<br>1,2) Ivan Markovic<br>3) Dedi Dwianto<br><br>CHANGELOG:<br>2006-09-07: Added CVE references.<br>2006-09-18: Added CVE reference.<br>2006-10-11: Updated "Title", "Description", and "Solution" section.
<br>Added additional vulnerability provided by Dedi Dwianto. Updated<br>"Criticality".<br><br>ORIGINAL ADVISORY:<br>1,2) <a href="http://www.security-net.biz/adv/D3906a.txt" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
http://www.security-net.biz/adv/D3906a.txt
</a><br><br>3) <a href="http://advisories.echo.or.id/adv/adv54-theday-2006.txt" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">http://advisories.echo.or.id/adv/adv54-theday-2006.txt</a><br><br>----------------------------------------------------------------------
<br><br>
Secunia recommends that you verify all advisories you receive by<br>clicking the link.<br>Secunia NEVER sends attached files with advisories.<br>Secunia does not advise people to install third party patches, only<br>use those supplied by the vendor.
<br><br>Definitions: (Criticality, Where etc.)<br><a href="http://secunia.com/about_secunia_advisories/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">http://secunia.com/about_secunia_advisories/
</a><br><a href="mailto:mike.oloan@saucesoft.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"><br></a>