<div dir="ltr">we check this soon.</div><div class="gmail_extra"><br clear="all"><div><div><br></div><div><div>Z poważaniem / Regards</div><div>Błażej Pabiszczak</div><div>M: +48.884999123<br>E: <a href="mailto:b.pabiszczak@opensaas.pl" target="_blank">b.pabiszczak@opensaas.pl</a></div>

</div></div>
<br><br><div class="gmail_quote">2014/1/16  <span dir="ltr"><<a href="mailto:vtigercrm-developers-request@lists.vtigercrm.com" target="_blank">vtigercrm-developers-request@lists.vtigercrm.com</a>></span><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">

Send vtigercrm-developers mailing list submissions to<br>
        <a href="mailto:vtigercrm-developers@lists.vtigercrm.com">vtigercrm-developers@lists.vtigercrm.com</a><br>
<br>
To subscribe or unsubscribe via the World Wide Web, visit<br>
        <a href="http://lists.vtigercrm.com/cgi-bin/mailman/listinfo/vtigercrm-developers" target="_blank">http://lists.vtigercrm.com/cgi-bin/mailman/listinfo/vtigercrm-developers</a><br>
<br>
or, via email, send a message with subject or body 'help' to<br>
        <a href="mailto:vtigercrm-developers-request@lists.vtigercrm.com">vtigercrm-developers-request@lists.vtigercrm.com</a><br>
<br>
You can reach the person managing the list at<br>
        <a href="mailto:vtigercrm-developers-owner@lists.vtigercrm.com">vtigercrm-developers-owner@lists.vtigercrm.com</a><br>
<br>
When replying, please edit your Subject line so it is more specific<br>
than "Re: Contents of vtigercrm-developers digest..."<br>
<br>
<br>
Today's Topics:<br>
<br>
   1. Re: SOAP vulnerability (Pabiszczak)<br>
   2. Re: SOAP vulnerability (Prasad)<br>
   3. Re: SOAP vulnerability (Prasad)<br>
<br>
<br>
----------------------------------------------------------------------<br>
<br>
Message: 1<br>
Date: Thu, 16 Jan 2014 10:07:34 +0100<br>
From: Pabiszczak, B?a?ej <<a href="mailto:b.pabiszczak@opensaas.pl">b.pabiszczak@opensaas.pl</a>><br>
To: Joe Bordes <<a href="mailto:joe@tsolucio.com">joe@tsolucio.com</a>>,<br>
        <a href="mailto:vtigercrm-developers@lists.vtigercrm.com">vtigercrm-developers@lists.vtigercrm.com</a><br>
Subject: Re: [Vtigercrm-developers] SOAP vulnerability<br>
Message-ID:<br>
        <<a href="mailto:CAD40NWYmZ7pmcM4akQY0H%2B9v0YEjeVb1xC1aHjcYvG_aq%2B0e4A@mail.gmail.com">CAD40NWYmZ7pmcM4akQY0H+9v0YEjeVb1xC1aHjcYvG_aq+0e4A@mail.gmail.com</a>><br>
Content-Type: text/plain; charset="iso-8859-2"<br>
<br>
and 6.0 too.<br>
<br>
<br>
Z powa?aniem / Regards<br>
B?a?ej Pabiszczak<br>
M: +48.884999123<br>
E: <a href="mailto:b.pabiszczak@opensaas.pl">b.pabiszczak@opensaas.pl</a><br>
<br>
<br>
2014/1/16 Joe Bordes <<a href="mailto:joe@tsolucio.com">joe@tsolucio.com</a>><br>
<br>
>  Is that also true for 5.4?<br>
><br>
><br>
><br>
> On 16/01/14 09:48, Prasad wrote:<br>
><br>
> Removing vtigerolservice.php should solve the issue - as Vtiger Outlook<br>
> Plugin no longer require this entry point.<br>
><br>
>  Regards,<br>
> Prasad<br>
><br>
> *Connect with us on: *Twitter <<a href="http://twitter.com/vtigercrm" target="_blank">http://twitter.com/vtigercrm</a>> *I* Facebook<<a href="http://www.facebook.com/pages/vtiger/226866697333578?sk=wall" target="_blank">http://www.facebook.com/pages/vtiger/226866697333578?sk=wall</a>><br>


>  *I* Blog <<a href="https://blogs.vtiger.com/" target="_blank">https://blogs.vtiger.com/</a>>* I* Wiki<<a href="http://wiki.vtiger.com/index.php/Main_Page" target="_blank">http://wiki.vtiger.com/index.php/Main_Page</a>><br>


>  *I *Forums  <<a href="https://discussions.vtiger.com" target="_blank">https://discussions.vtiger.com</a>>*I* Website<<a href="https://www.vtiger.com/" target="_blank">https://www.vtiger.com/</a>><br>
><br>
><br>
> On Thu, Jan 16, 2014 at 12:04 AM, Joe Bordes <<a href="mailto:joe@tsolucio.com">joe@tsolucio.com</a>> wrote:<br>
><br>
>> I see that the security patch released a few months ago seems to attend<br>
>> this vulnerability although I'm not totally sure. Can somebody in vtiger<br>
>> please confirm that the solution is in that patch, please?<br>
>><br>
>><br>
>> El 15/01/14 18:17, Joe Bordes escribi?:<br>
>><br>
>>  Hi<br>
>>><br>
>>> Frank Piepiorra from CRMNOW just announced this on the forum:<br>
>>><br>
>>> <a href="http://www.exploit-db.com/exploits/30787/" target="_blank">http://www.exploit-db.com/exploits/30787/</a><br>
>>><br>
>>> <a href="https://discussions.vtiger.com/index.php?p=/discussion/169458/vtiger-security-alert-for-soap" target="_blank">https://discussions.vtiger.com/index.php?p=/discussion/169458/vtiger-security-alert-for-soap</a><br>


>>><br>
>>><br>
>>> Joe<br>
>>> TSolucio<br>
>>><br>
>>> _______________________________________________<br>
>>> <a href="http://www.vtiger.com/" target="_blank">http://www.vtiger.com/</a><br>
>>><br>
>><br>
>>  _______________________________________________<br>
>> <a href="http://www.vtiger.com/" target="_blank">http://www.vtiger.com/</a><br>
>><br>
><br>
><br>
><br>
> _______________________________________________<a href="http://www.vtiger.com/" target="_blank">http://www.vtiger.com/</a><br>
><br>
><br>
><br>
> --<br>
> Un saludo<br>
> Joe<br>
> TSolucio<br>
><br>
><br>
> _______________________________________________<br>
> <a href="http://www.vtiger.com/" target="_blank">http://www.vtiger.com/</a><br>
><br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <<a href="http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20140116/58de2fe1/attachment-0001.html" target="_blank">http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20140116/58de2fe1/attachment-0001.html</a>><br>


<br>
------------------------------<br>
<br>
Message: 2<br>
Date: Thu, 16 Jan 2014 14:41:44 +0530<br>
From: Prasad <<a href="mailto:prasad@vtiger.com">prasad@vtiger.com</a>><br>
To: Joe Bordes <<a href="mailto:joe@tsolucio.com">joe@tsolucio.com</a>>,<br>
        "<a href="mailto:vtigercrm-developers@lists.vtigercrm.com">vtigercrm-developers@lists.vtigercrm.com</a>"<br>
        <<a href="mailto:vtigercrm-developers@lists.vtigercrm.com">vtigercrm-developers@lists.vtigercrm.com</a>><br>
Subject: Re: [Vtigercrm-developers] SOAP vulnerability<br>
Message-ID:<br>
        <<a href="mailto:CAMeS7pmqgY7V%2BkriB6v5V4iysRiD1ovm3dFp8NarJdk_KJn_aQ@mail.gmail.com">CAMeS7pmqgY7V+kriB6v5V4iysRiD1ovm3dFp8NarJdk_KJn_aQ@mail.gmail.com</a>><br>
Content-Type: text/plain; charset="iso-8859-1"<br>
<br>
Our team is verifying on older versions.<br>
<br>
*Connect with us on: *Twitter <<a href="http://twitter.com/vtigercrm" target="_blank">http://twitter.com/vtigercrm</a>> *I*<br>
Facebook<<a href="http://www.facebook.com/pages/vtiger/226866697333578?sk=wall" target="_blank">http://www.facebook.com/pages/vtiger/226866697333578?sk=wall</a>><br>
 *I* Blog <<a href="https://blogs.vtiger.com/" target="_blank">https://blogs.vtiger.com/</a>>* I*<br>
Wiki<<a href="http://wiki.vtiger.com/index.php/Main_Page" target="_blank">http://wiki.vtiger.com/index.php/Main_Page</a>><br>
 *I *Forums  <<a href="https://discussions.vtiger.com" target="_blank">https://discussions.vtiger.com</a>>*I*<br>
Website<<a href="https://www.vtiger.com/" target="_blank">https://www.vtiger.com/</a>><br>
<br>
<br>
On Thu, Jan 16, 2014 at 2:33 PM, Joe Bordes <<a href="mailto:joe@tsolucio.com">joe@tsolucio.com</a>> wrote:<br>
<br>
>  Is that also true for 5.4?<br>
><br>
><br>
><br>
><br>
> On 16/01/14 09:48, Prasad wrote:<br>
><br>
> Removing vtigerolservice.php should solve the issue - as Vtiger Outlook<br>
> Plugin no longer require this entry point.<br>
><br>
>  Regards,<br>
> Prasad<br>
><br>
> *Connect with us on: *Twitter <<a href="http://twitter.com/vtigercrm" target="_blank">http://twitter.com/vtigercrm</a>> *I* Facebook<<a href="http://www.facebook.com/pages/vtiger/226866697333578?sk=wall" target="_blank">http://www.facebook.com/pages/vtiger/226866697333578?sk=wall</a>><br>


>  *I* Blog <<a href="https://blogs.vtiger.com/" target="_blank">https://blogs.vtiger.com/</a>>* I* Wiki<<a href="http://wiki.vtiger.com/index.php/Main_Page" target="_blank">http://wiki.vtiger.com/index.php/Main_Page</a>><br>


>  *I *Forums  <<a href="https://discussions.vtiger.com" target="_blank">https://discussions.vtiger.com</a>>*I* Website<<a href="https://www.vtiger.com/" target="_blank">https://www.vtiger.com/</a>><br>
><br>
><br>
> On Thu, Jan 16, 2014 at 12:04 AM, Joe Bordes <<a href="mailto:joe@tsolucio.com">joe@tsolucio.com</a>> wrote:<br>
><br>
>> I see that the security patch released a few months ago seems to attend<br>
>> this vulnerability although I'm not totally sure. Can somebody in vtiger<br>
>> please confirm that the solution is in that patch, please?<br>
>><br>
>><br>
>> El 15/01/14 18:17, Joe Bordes escribi?:<br>
>><br>
>>  Hi<br>
>>><br>
>>> Frank Piepiorra from CRMNOW just announced this on the forum:<br>
>>><br>
>>> <a href="http://www.exploit-db.com/exploits/30787/" target="_blank">http://www.exploit-db.com/exploits/30787/</a><br>
>>><br>
>>> <a href="https://discussions.vtiger.com/index.php?p=/discussion/169458/vtiger-security-alert-for-soap" target="_blank">https://discussions.vtiger.com/index.php?p=/discussion/169458/vtiger-security-alert-for-soap</a><br>


>>><br>
>>><br>
>>> Joe<br>
>>> TSolucio<br>
>>><br>
>>> _______________________________________________<br>
>>> <a href="http://www.vtiger.com/" target="_blank">http://www.vtiger.com/</a><br>
>>><br>
>><br>
>>  _______________________________________________<br>
>> <a href="http://www.vtiger.com/" target="_blank">http://www.vtiger.com/</a><br>
>><br>
><br>
><br>
><br>
> _______________________________________________<a href="http://www.vtiger.com/" target="_blank">http://www.vtiger.com/</a><br>
><br>
><br>
><br>
> --<br>
> Un saludo<br>
> Joe<br>
> TSolucio<br>
><br>
><br>
> _______________________________________________<br>
> <a href="http://www.vtiger.com/" target="_blank">http://www.vtiger.com/</a><br>
><br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <<a href="http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20140116/51f5661b/attachment-0001.html" target="_blank">http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20140116/51f5661b/attachment-0001.html</a>><br>


<br>
------------------------------<br>
<br>
Message: 3<br>
Date: Thu, 16 Jan 2014 16:08:26 +0530<br>
From: Prasad <<a href="mailto:prasad@vtiger.com">prasad@vtiger.com</a>><br>
To: "<a href="mailto:vtigercrm-developers@lists.vtigercrm.com">vtigercrm-developers@lists.vtigercrm.com</a>"<br>
        <<a href="mailto:vtigercrm-developers@lists.vtigercrm.com">vtigercrm-developers@lists.vtigercrm.com</a>><br>
Subject: Re: [Vtigercrm-developers] SOAP vulnerability<br>
Message-ID:<br>
        <CAMeS7p=<a href="mailto:5JXfzw8db1H2Qp9sv4mhScY29j%2BN9vHLu9A9b0hVTvQ@mail.gmail.com">5JXfzw8db1H2Qp9sv4mhScY29j+N9vHLu9A9b0hVTvQ@mail.gmail.com</a>><br>
Content-Type: text/plain; charset="iso-8859-2"<br>
<br>
The exploit explained cannot succeed if the soap-session is not active<br>
through outlook plugin (older versions). I have devised fix to handle the<br>
filename being upload - <a href="http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/7903" target="_blank">http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/7903</a><br>
<br>
Please review.<br>
<br>
Regards,<br>
Prasad<br>
<br>
<br>
<br>
*Connect with us on: *Twitter <<a href="http://twitter.com/vtigercrm" target="_blank">http://twitter.com/vtigercrm</a>> *I*<br>
Facebook<<a href="http://www.facebook.com/pages/vtiger/226866697333578?sk=wall" target="_blank">http://www.facebook.com/pages/vtiger/226866697333578?sk=wall</a>><br>
 *I* Blog <<a href="https://blogs.vtiger.com/" target="_blank">https://blogs.vtiger.com/</a>>* I*<br>
Wiki<<a href="http://wiki.vtiger.com/index.php/Main_Page" target="_blank">http://wiki.vtiger.com/index.php/Main_Page</a>><br>
 *I *Forums  <<a href="https://discussions.vtiger.com" target="_blank">https://discussions.vtiger.com</a>>*I*<br>
Website<<a href="https://www.vtiger.com/" target="_blank">https://www.vtiger.com/</a>><br>
<br>
<br>
On Thu, Jan 16, 2014 at 2:37 PM, Pabiszczak, B?a?ej <<br>
<a href="mailto:b.pabiszczak@opensaas.pl">b.pabiszczak@opensaas.pl</a>> wrote:<br>
<br>
> and 6.0 too.<br>
><br>
><br>
> Z powa?aniem / Regards<br>
> B?a?ej Pabiszczak<br>
> M: +48.884999123<br>
> E: <a href="mailto:b.pabiszczak@opensaas.pl">b.pabiszczak@opensaas.pl</a><br>
><br>
><br>
> 2014/1/16 Joe Bordes <<a href="mailto:joe@tsolucio.com">joe@tsolucio.com</a>><br>
><br>
>>  Is that also true for 5.4?<br>
>><br>
>><br>
>><br>
>> On 16/01/14 09:48, Prasad wrote:<br>
>><br>
>> Removing vtigerolservice.php should solve the issue - as Vtiger Outlook<br>
>> Plugin no longer require this entry point.<br>
>><br>
>>  Regards,<br>
>> Prasad<br>
>><br>
>> *Connect with us on: *Twitter <<a href="http://twitter.com/vtigercrm" target="_blank">http://twitter.com/vtigercrm</a>> *I* Facebook<<a href="http://www.facebook.com/pages/vtiger/226866697333578?sk=wall" target="_blank">http://www.facebook.com/pages/vtiger/226866697333578?sk=wall</a>><br>


>>  *I* Blog <<a href="https://blogs.vtiger.com/" target="_blank">https://blogs.vtiger.com/</a>>* I* Wiki<<a href="http://wiki.vtiger.com/index.php/Main_Page" target="_blank">http://wiki.vtiger.com/index.php/Main_Page</a>><br>


>>  *I *Forums  <<a href="https://discussions.vtiger.com" target="_blank">https://discussions.vtiger.com</a>>*I* Website<<a href="https://www.vtiger.com/" target="_blank">https://www.vtiger.com/</a>><br>


>><br>
>><br>
>> On Thu, Jan 16, 2014 at 12:04 AM, Joe Bordes <<a href="mailto:joe@tsolucio.com">joe@tsolucio.com</a>> wrote:<br>
>><br>
>>> I see that the security patch released a few months ago seems to attend<br>
>>> this vulnerability although I'm not totally sure. Can somebody in vtiger<br>
>>> please confirm that the solution is in that patch, please?<br>
>>><br>
>>><br>
>>> El 15/01/14 18:17, Joe Bordes escribi?:<br>
>>><br>
>>>  Hi<br>
>>>><br>
>>>> Frank Piepiorra from CRMNOW just announced this on the forum:<br>
>>>><br>
>>>> <a href="http://www.exploit-db.com/exploits/30787/" target="_blank">http://www.exploit-db.com/exploits/30787/</a><br>
>>>><br>
>>>> <a href="https://discussions.vtiger.com/index.php?p=/discussion/169458/vtiger-security-alert-for-soap" target="_blank">https://discussions.vtiger.com/index.php?p=/discussion/169458/vtiger-security-alert-for-soap</a><br>


>>>><br>
>>>><br>
>>>> Joe<br>
>>>> TSolucio<br>
>>>><br>
>>>> _______________________________________________<br>
>>>> <a href="http://www.vtiger.com/" target="_blank">http://www.vtiger.com/</a><br>
>>>><br>
>>><br>
>>>  _______________________________________________<br>
>>> <a href="http://www.vtiger.com/" target="_blank">http://www.vtiger.com/</a><br>
>>><br>
>><br>
>><br>
>><br>
>> _______________________________________________<a href="http://www.vtiger.com/" target="_blank">http://www.vtiger.com/</a><br>
>><br>
>><br>
>><br>
>> --<br>
>> Un saludo<br>
>> Joe<br>
>> TSolucio<br>
>><br>
>><br>
>> _______________________________________________<br>
>> <a href="http://www.vtiger.com/" target="_blank">http://www.vtiger.com/</a><br>
>><br>
><br>
><br>
> _______________________________________________<br>
> <a href="http://www.vtiger.com/" target="_blank">http://www.vtiger.com/</a><br>
><br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <<a href="http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20140116/dce308be/attachment.html" target="_blank">http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20140116/dce308be/attachment.html</a>><br>


<br>
------------------------------<br>
<br>
_______________________________________________<br>
vtigercrm-developers mailing list<br>
<a href="mailto:vtigercrm-developers@lists.vtigercrm.com">vtigercrm-developers@lists.vtigercrm.com</a><br>
<a href="http://lists.vtigercrm.com/cgi-bin/mailman/listinfo/vtigercrm-developers" target="_blank">http://lists.vtigercrm.com/cgi-bin/mailman/listinfo/vtigercrm-developers</a><br>
<br>
<br>
End of vtigercrm-developers Digest, Vol 96, Issue 46<br>
****************************************************<br>
</blockquote></div><br></div>