[Vtigercrm-developers] [CRITICAL] possible code injection vulnerability

J Zakhar john at tantor.com
Tue Jun 26 06:52:25 PDT 2007

Enrico Weigelt wrote:
> * Minnie <minnie at vtiger.com> schrieb:
> Hi,
>> when I try to give module=Leads and action=foo, I got the warning 
>> message stating that
>> Warning:  include(modules/Leads/foo.php) [function.include]: failed to open stream: No such file or directory in
> The problem is: the name of the codefile to load is built from
> $_REQUEST{'module'} and $_REQUEST{'action'}. There are several
> ways to trick php with special characters. If including from
> URLs is enabled, we have an big fat code injection leak.
> cu
Granted I am by no means an expert, but one is that syntax even valid? 
Should it not be $_REQUEST['var']; ?
Second, using that array, you have to form post to the page for the 
variables in $_REQUEST/$_POST/$_GET to get filled.
With most modern versions of php, register globals is off by default..

I just tested it here and the original poster is correct, if you drop in 
your own action you can get a remote code execution situation.

Yeah in the code we have

$action = '';
    $action = $_REQUEST['action'];

and that is Bizarre the whole point of the $_REQUEST array was to stop 
this kind of thing...

More information about the vtigercrm-developers mailing list