<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    Thanks Uma<br>
    <br>
    I am yet to look at this (will finally investigate tomorrow) however
    I can confirm that there was no entry in vtiger_attachments so this
    was not uploaded through the usual methods.<br>
    <br>
    <br>
    <div class="moz-cite-prefix">On 19/03/14 01:01, Uma S wrote:<br>
    </div>
    <blockquote
cite="mid:CAH83Uo+VrDwDHDA-y_bB4d8NXrEPJqPMg7r8uY_Cu=ZtZ5DYLg@mail.gmail.com"
      type="cite">
      <div dir="ltr">Hi Richard,
        <div><span style="font-family:arial,sans-serif;font-size:13px"><br>
          </span></div>
        <div><span style="font-family:arial,sans-serif;font-size:13px">No
            entry was made to match this in the crmentity table or
            elsewhere so it seems some very large security hole.</span><br>
        </div>
        <div>
          <ol>
            <li><span
                style="font-size:13px;font-family:arial,sans-serif">Every
                file that's uploaded to crm will have entry in </span><font
                face="arial, sans-serif">vtiger_attachments table.</font><br>
            </li>
            <li><font face="arial, sans-serif">Record to attachment
                relation is saved in vtiger_seattachmentsrel table.</font></li>
            <li><span style="font-family:arial,sans-serif">In documents
                module,data is pushed into this table by
                api uploadAndSaveFile in
                CRMEntity.php(data/CRMEntity.php)</span><br>
            </li>
          </ol>
        </div>
      </div>
      <div class="gmail_extra"><br>
        <br>
        <div class="gmail_quote">On Tue, Mar 18, 2014 at 4:57 PM,
          Richard Hills <span dir="ltr"><<a moz-do-not-send="true"
              href="mailto:richard@tw.co.nz" target="_blank">richard@tw.co.nz</a>></span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0
            .8ex;border-left:1px #ccc solid;padding-left:1ex">
            Hi guys<br>
            <br>
            I have seen a live unmodified 5.4 install which we have
            running as a test for clients who want to see what vtiger
            can do end up with an injected script inside of a normal
            documents structure (/storage/year/month/week/filename.whatever).<br>
            <br>
            No entry was made to match this in the crmentity table or
            elsewhere so it seems some very large security hole.<br>
            <br>
            I'm just wondering if anyone can point me to the file which
            handles these file uploads so I can get hunting for whatever
            has allowed this to happen.<br>
            <br>
            Thank you<br>
            _______________________________________________<br>
            <a moz-do-not-send="true" href="http://www.vtiger.com/"
              target="_blank">http://www.vtiger.com/</a><br>
          </blockquote>
        </div>
        <br>
        <br clear="all">
        <div><br>
        </div>
        -- <br>
        <div dir="ltr">With<br>
          Best Regards<br>
          Uma.S<br>
          <div>Vtiger Team</div>
        </div>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
<a class="moz-txt-link-freetext" href="http://www.vtiger.com/">http://www.vtiger.com/</a></pre>
    </blockquote>
    <br>
  </body>
</html>