vtiger Multiple Input Validation Bugs Let Remote Users Traverse the Directory, Conduct Cross-Site Scripting and SQL Injection Attacks, and Execute Arbitrary Code
SecurityTracker Alert ID: 1015274|
SecurityTracker URL: http://securitytracker.com/id/1015274
(Links to External Site)
Date: Nov 26 2005
Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network|
Exploit Included: Yes |
Version(s): 4.2 and prior versions|
Several vulnerabilities were reported in vtiger. A remote authenticated user can upload and execute arbitrary PHP code. A remote user can conduct cross-site scripting and SQL injection attacks. A remote user can view files on the target system.|
Several scripts do not properly filter HTML code from user-supplied input before displaying the input. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the vtiger software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
The software does not properly validate user-supplied input. A remote user can supply specially crafted parameter values to execute SQL commands on the underlying database.
A remote user can supply a specially crafted parameter name containing '../' directory traversal characters to view certain files on the target system. A demonstration exploit URLs are provided:
The 'Users' module does not properly validate user-supplied input in the 'templatename' parameter. A remote user can supply a local pathname to cause the system to execute the specified file. A demonstration exploit URL is provided:
A remote authenticated user can invoke the 'uploads' module (index.php?module=uploads&action=add2db) to upload a file containing PHP code and having a '.php' file extension.
The vendor was notified on November 9, 2005.
D. Fabian from SEC-CONSULT reported these vulnerabilities.
A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the vtiger software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.|
A remote user can execute SQL commands on the underlying database.
A remote user can execute arbitrary PHP code and operating system commands on the target system with the privileges of the target web service.
A remote user can view arbitrary files on the target system.
The vendor plans to issued a fixed version (4.5 alpha), to be available this week.|
Vendor URL: www.vtiger.com/ (Links to External Site)
Input validation error|
|Underlying OS: Linux (Any), UNIX (Any), Windows (Any)|
Source Message Contents
Subject: [Full-disclosure] SEC Consult SA-20051125-0 :: More Vulnerabilities|
SEC-CONSULT Security Advisory < 20051125-0 >
title: Even More Vulnerabilities in VTiger CRM
program: vtiger CRM
vulnerable version: 4.2 and earlier
by: D. Fabian / SEC-CONSULT / www.sec-consult.com
vtiger CRM is an Open Source CRM software mainly for small and medium
businesses. vtiger CRM is built over proven, fast, and reliable LAMP/WAMP
(Linux/Windows, Apache, MySQL, and PHP) technologies and other open
vtiger CRM leverages the benefits of Open Source software and adds more
value to the end-users by providing many enterprise features, such as
sales force automation, customer support & service, marketing automation,
inventory management, multiple database support, security management,
product customization, calendaring, E-mail integration, add-ons, and
A short security analysis of the CRM system revealed multiple serious
vulnerabilities that might result in:
- administrator account takeover,
- cookie/session information theft,
- database manipulation (reading & deleting data),
- remote code execution.
The following classes of security vulnerabilities have been found:
- SQL Injection
- Cross Site Scripting
- Path Traversal/File Disclosure
- Code Execution
- Arbitrary File Upload
It seems that Christopher Kunz from the hardened-php project
independently also discovered some of the exploits described in this
advisory. Since they released their advisory without a patch being
available, customer risk is already high and we'd like to add the
results of our research.
### Multiple SQL Injection Vulnerabilities
Practically all SQL statements in vtiger CRM are vulnerable to SQL
injection. Most seriously, the login form is vulnerable, and can be
tricked into logging in as administrator by supplying the form with a
username like "admin' or '1'='1" and an arbitrary password.
But also the record parameter is vulnerable to SQL injection and can be
used to delete or read data (e.g. index.php?action=EditView&module=
Noteably, these attacks also work if the "magic_quote" parameter in
php.ini is set to "on".
### Cross Site Scripting
Just like with SQL Injection, most parameters are vulnerable to XSS.
Most seriously however, the values stored in the database are also not
filtered for HTML tags. Thus it is possible to create for example a new
account with a name like "<script>alert(123)</script>". Whenever another
allows an attacker to collect cookies from other users to subsequently
perform session highjacking attacks.
### Path Traversal/File Disclosure
Multiple parameters are vulnerable to file disclosure attacks. These
attacks are based on unchecked user input being used in "include" or
"require" php functions. On the one hand, this allows an attacker to
disclose arbitrary files from the webserver. On the other hand, in
conjunction with the file upload functionality, the flaw can be used to
perform remote command execution, by simply uploading a file containing
php code and including it using the following attacks:
These attacks can also be performed even if the php parameter
magic_quotes is "on".
### Remote Code Execution
The file given by the parameter "templatename" is parsed and its input is
passed to eval() without any prior validation.
### Arbitrary File Upload
Using the URL index.php?module=uploads&action=add2db it is possible to
upload arbitrary files, including files with the .php extension,
resulting in arbitrary code execution.
This advisory is by no means a complete listing of all vulnerabilities in
vtiger CRM. It is very likely that there is quite a number of more flaws.
We'd like to stretch that our research was conducted independently and
without knowledge of Christopher Kunz's results. Since it's a first come
first serve world, credits for a subset of the flaws described in this
advisory go to him.
All of the above vulnerabilities have been found in vtiger CRM version
4.2. Earlier versions are very likely also vulnerable to the described
In our opinion it is currently impossible to deploy a secure installation
of vtiger CRM without major changes to the source code. As a very limited
workaround apply directory authentication (e.g. htaccess) in order to at
least allow only authorized users access to the application. However this
of course won't keep authorized users from applying the exploits and
gaining administrative access to vtiger.
vendor notified: 2005-11-09
vendor response: 2005-11-23
patch available: According to vendor a fixed version 4.5 alpha is going
to be released by the end of this week. As Christopher Kunz from the
hardened-php project already published the exploits they found, the
additional risk for customers caused by this advisory is negligible.
SEC Consult Unternehmensberatung GmbH
Tel.: +43 / 1 / 409 0307 - 570
Fax.: +43 / 1 / 409 0307 - 590
Mail: office at sec-consult dot com
EOF Daniel Fabian / @2005
d.fabian at sec-consult dot com
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
Go to the Top of This SecurityTracker Archive Page