ID
VAR-E-201203-0850
TITLE
RETIRED: vtiger CRM 'module_name' Parameter Local File Include Vulnerability
Trust: 0.3
DESCRIPTION
vtiger CRM is prone to a local file-include vulnerability because it fails to sufficiently sanitize user-supplied input.
An attacker can exploit this vulnerability to view files and execute local scripts in the context of the webserver process. This may aid in further attacks.
vtiger CRM 5.1.0 is vulnerable; other versions may also be affected.
This BID is being retired as a duplicate of BID 47263 (vtiger CRM 'sortfieldsjson.php' Local File Include Vulnerability).
Trust: 0.3
AFFECTED PRODUCTS
| vendor: | vtiger | model: | crm | scope: | eq | version: | 5.1 | Trust: 0.3 |
EXPLOIT
An attacker can exploit this issue using a browser.
The following example URI is available:
http://www.example.com/vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=../../../../../../../../etc/passwd%00
Trust: 0.3
PRICE
Free
Trust: 0.3
TYPE
Input Validation Error
Trust: 0.3
CREDITS
Pi3rrot
Trust: 0.3
EXTERNAL IDS
| db: | BID | id: | 52671 | Trust: 0.3 |
REFERENCES
| url: | http://sourceforge.net/projects/vtigercrm/files/vtiger%20crm%205.1.0/ | Trust: 0.3 |
SOURCES
| db: | BID | id: | 52671 |
LAST UPDATE DATE
2022-07-27T09:49:59.978000+00:00
SOURCES UPDATE DATE
| db: | BID | id: | 52671 | date: | 2012-04-26T15:30:00 |
SOURCES RELEASE DATE
| db: | BID | id: | 52671 | date: | 2012-03-21T00:00:00 |