[Vtigercrm-developers] [CRITICAL] possible code injection vulnerability

Enrico Weigelt weigelt at metux.de
Tue Jun 26 04:38:26 PDT 2007

* Minnie <minnie at vtiger.com> schrieb:


> when I try to give module=Leads and action=foo, I got the warning 
> message stating that
> Warning:  include(modules/Leads/foo.php) [function.include]: failed to open stream: No such file or directory in

The problem is: the name of the codefile to load is built from
$_REQUEST{'module'} and $_REQUEST{'action'}. There are several
ways to trick php with special characters. If including from
URLs is enabled, we have an big fat code injection leak.

 Enrico Weigelt    ==   metux IT service

  phone:     +49 36207 519931         www:       http://www.metux.de/
  fax:       +49 36207 519932         email:     contact at metux.de
  cellphone: +49 174 7066481
 -- DSL ab 0 Euro. -- statische IP -- UUCP -- Hosting -- Webshops --

More information about the vtigercrm-developers mailing list