ID

VAR-201404-0102

CVE

CVE-2013-3213

TITLE

Vtiger CRM In SQL Injection vulnerability

DESCRIPTION

Multiple SQL injection vulnerabilities in vTiger CRM 5.0.0 through 5.4.0 allow remote attackers to execute arbitrary SQL commands via the (1) picklist_name parameter in the get_picklists method to soap/customerportal.php, (2) where parameter in the get_tickets_list method to soap/customerportal.php, or (3) emailaddress parameter in the SearchContactsByEmail method to soap/vtigerolservice.php; or remote authenticated users to execute arbitrary SQL commands via the (4) emailaddress parameter in the SearchContactsByEmail method to soap/thunderbirdplugin.php. Vtiger CRM Is SQL An injection vulnerability exists.By any third party, via the following parameters SQL The command may be executed. (4) soap/thunderbirdplugin.php of SearchContactsByEmail In the method emailaddress Parameters. vtiger CRM is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input before using it in an SQL query. Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. vtiger CRM 5.0.0 through versions 5.4.0 are vulnerable. Vtiger CRM is a customer relationship management system (CRM) based on SugarCRM developed by American Vtiger Company. The management system provides functions such as management, collection, and analysis of customer information. The vulnerability comes from the fact that the soap/customerportal.php script does not correctly filter the 'picklist_name' parameter in the get_picklists method; the soap/customerportal.php script does not correctly filter the get_tickets_list method The 'where' parameter; the soap/vtigerolservice.php script does not correctly filter the 'emailaddress' parameter in the SearchContactsByEmail method; the soap/thunderbirdplugin.php script does not correctly filter the 'emailaddress' parameter in the SearchContactsByEmail method. [-] Vulnerability Description: 1) The vulnerable code is located in the get_picklists SOAP method defined in /soap/customerportal.php: 1177. $id = $input_array['id']; 1178. $sessionid = $input_array['sessionid']; 1179. $picklist_name = $adb->sql_escape_string($input_array['picklist_name']); 1180. 1181. if(!validateSession($id,$sessionid)) 1182. return null; 1183. 1184. $picklist_array = Array(); 1185. 1186. $admin_role = 'H2'; 1187. $userid = getPortalUserid(); 1188. $roleres = $adb->pquery("SELECT roleid from vtiger_user2role where userid = ?", array($userid)); 1189. $RowCount = $adb->num_rows($roleres); 1190. if($RowCount > 0){ 1191. $admin_role = $adb->query_result($roleres,0,'roleid'); 1192. } 1193. 1194. $res = $adb->pquery("select vtiger_". $picklist_name.".* from vtiger_". $picklist_name." inner join [...] User input passed through the "picklist_name" parameter seems to be correctly sanitised by the sql_escape_string() method, but the vulnerability exists because it's used in the query at line 1194 without single or double quotes. This can be exploited to conduct blind SQL injection attacks. 2) The vulnerable code is located in the get_tickets_list SOAP method defined in /soap/customerportal.php: 654. $id = $input_array['id']; 655. $only_mine = $input_array['onlymine']; 656. $where = $input_array['where']; //addslashes is already added with where condition fields in portal itself 657. $match = $input_array['match']; 658. $sessionid = $input_array['sessionid']; 659. 660. if(!validateSession($id,$sessionid)) 661. return null; 662. 663. // Prepare where conditions based on search query 664. $join_type = ''; 665. $where_conditions = ''; 666. if(trim($where) != '') { 667. if($match == 'all' || $match == '') { 668. $join_type = " AND "; 669. } elseif($match == 'any') { 670. $join_type = " OR "; 671. } 672. $where = explode("&&&",$where); 673. $where_conditions = implode($join_type, $where); [...] 707. $query = "SELECT vtiger_troubletickets.*, vtiger_crmentity.smownerid,vtiger_crmentity.createdtime, [...] 708. FROM vtiger_troubletickets 709. INNER JOIN vtiger_crmentity ON vtiger_crmentity.crmid = vtiger_troubletickets.ticketid AND [...] 710. WHERE vtiger_troubletickets.parent_id IN (". generateQuestionMarks($entity_ids_list) .")"; 711. // Add conditions if there are any search parameters 712. if ($join_type != '' && $where_conditions != '') { 713. $query .= " AND (".$where_conditions.")"; 714. } User input passed through the "where" parameter isn't properly validated before being used in a SQL query at line 713. This can be exploited to conduct SQL injection attacks. 3) The vulnerable code is located in the SearchContactsByEmail SOAP method defined in /soap/thunderbirdplugin.php: 186. function SearchContactsByEmail($username,$password,$emailaddress) 187. { 188. if(authentication($username,$password)) 189. { 190. require_once('modules/Contacts/Contacts.php'); 191. 192. $seed_contact = new Contacts(); 193. $output_list = Array(); 194. 195. $response = $seed_contact->get_searchbyemailid($username,$emailaddress); User input passed through the "emailaddress" parameter isn't properly validated before being used in a call to the Contacts::get_searchbyemailid() method at line 195. This can be exploited to conduct SQL injection attacks. Successful exploitation of this vulnerability requires authentication. 4) The vulnerable code is located in the SearchContactsByEmail SOAP method defined in /soap/vtigerolservice.php: 282. function SearchContactsByEmail($username,$session,$emailaddress) 283. { 284. if(!validateSession($username,$session)) 285. return null; 286. require_once('modules/Contacts/Contacts.php'); 287. 288. $seed_contact = new Contacts(); 289. $output_list = Array(); 290. 291. $response = $seed_contact->get_searchbyemailid($username,$emailaddress); User input passed through the "emailaddress" parameter isn't properly validated before being used in a call to the Contacts::get_searchbyemailid() method at line 291. This can be exploited to conduct SQL injection attacks. Successful exploitation of this vulnerability requires knowledge of a valid username. [-] Solution: Apply the vendor patch:http://www.vtiger.com/blogs/?p=1467 [-] Disclosure Timeline: [13/01/2013] - Vendor notified [06/02/2013] - Vendor asked feedback abouthttp://trac.vtiger.com/cgi-bin/trac.cgi/changeset/13848 [05/03/2013] - Feedback provided to the vendor [26/03/2013] - Vendor patch released [18/04/2013] - CVE number requested [20/04/2013] - CVE number assigned [01/08/2013] - Public disclosure [-] CVE Reference: The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2013-3213 to these vulnerabilities. [-] Credits: Vulnerabilities discovered by Egidio Romano. [-] Original Advisory: http://karmainsecurity.com/KIS-2013-06

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

sql injection

CONFIGURATIONS

EXPLOIT AVAILABILITY

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Egidio Romano

SOURCES

LAST UPDATE DATE

2025-04-13T23:17:40.611000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE