Re: [Full-disclosure] vTiger CRM 5.2.x = Remote Code Execution Vulnerability
and where in vTiger is this manipulatable from?
On Wed, Oct 5, 2011 at 11:02 AM, YGN Ethical Hacker Group li...@yehg.netwrote:
vTiger CRM 5.2.x = Remote Code Execution Vulnerability
1. OVERVIEW
The vTiger CRM 5.2.1 and lower versions are vulnerable to Remote Code
Execution. No fixed version has been released as of 2011-10-05.
2. BACKGROUND
vtiger CRM is a free, full-featured, 100% Open Source CRM software
ideal for small and medium businesses, with low-cost product support
available to production users that need reliable support. vtiger CRM
is a widely used product with thousands of users in dozens of
countries. It has a vibrant community of users driving the product
forward, and contributing to it's development. Over 2 million copies
of vtiger CRM have been downloaded so far. It was launched as a fork
of version 1.0 of the SugarCRM project launched on December 31st,
2004.
3. VULNERABILITY DESCRIPTION
vTiger uses the vulnerable version of phpmailer class file located at
/cron/class.phpmailer.php .
4. VERSIONS AFFECTED
Tested on 5.2.1
5. PROOF-OF-CONCEPT/EXPLOIT
File: /cron/class.phpmailer.php
[code]
391:function SendmailSend($header, $body) {
392:if ($this-Sender != )
393: $sendmail = sprintf(%s -oi -f %s -t, $this-Sendmail,
$this-Sender);
394:else
395: $sendmail = sprintf(%s -oi -t, $this-Sendmail);
[/code]
6. SOLUTION
The vendor hasn't attempted to incorporate the latest version of
phpMailer class in their vTigerCRM as of version 5.2.1.
The flawed code portion can be patched with:
393: $sendmail = sprintf(%s -oi -f %s -t,
escapeshellcmd($this-Sendmail), escapeshellarg($this-Sender));
395: $sendmail = sprintf(%s -oi -t, escapeshellcmd($this-Sendmail));
7. VENDOR
vTiger Development Team
http://www.vtiger.com/
8. CREDIT
This vulnerability was discovered by Aung Khant, http://yehg.net, YGN
Ethical Hacker Group, Myanmar.
9. DISCLOSURE TIME-LINE
2010-12-08: notified vendor
2011-10-05: no fixed version released yet
2011-10-05: vulnerability disclosed
10. REFERENCES
Original Advisory URL:
http://yehg.net/lab/pr0js/advisories/%5BvTiger_5.2.1%5D_rce
Wiki VtigerCRM: https://secure.wikimedia.org/wikipedia/en/wiki/Vtiger_CRM
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3215
#yehg [2011-10-05]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] vTiger CRM 5.2.x = Remote Code Execution Vulnerability
vTiger CRM 5.2.x = Remote Code Execution Vulnerability
1. OVERVIEW
The vTiger CRM 5.2.1 and lower versions are vulnerable to Remote Code
Execution. No fixed version has been released as of 2011-10-05.
2. BACKGROUND
vtiger CRM is a free, full-featured, 100% Open Source CRM software
ideal for small and medium businesses, with low-cost product support
available to production users that need reliable support. vtiger CRM
is a widely used product with thousands of users in dozens of
countries. It has a vibrant community of users driving the product
forward, and contributing to it's development. Over 2 million copies
of vtiger CRM have been downloaded so far. It was launched as a fork
of version 1.0 of the SugarCRM project launched on December 31st,
2004.
3. VULNERABILITY DESCRIPTION
vTiger uses the vulnerable version of phpmailer class file located at
/cron/class.phpmailer.php .
4. VERSIONS AFFECTED
Tested on 5.2.1
5. PROOF-OF-CONCEPT/EXPLOIT
File: /cron/class.phpmailer.php
[code]
391:function SendmailSend($header, $body) {
392:if ($this-Sender != )
393: $sendmail = sprintf(%s -oi -f %s -t, $this-Sendmail,
$this-Sender);
394:else
395: $sendmail = sprintf(%s -oi -t, $this-Sendmail);
[/code]
6. SOLUTION
The vendor hasn't attempted to incorporate the latest version of
phpMailer class in their vTigerCRM as of version 5.2.1.
The flawed code portion can be patched with:
393: $sendmail = sprintf(%s -oi -f %s -t,
escapeshellcmd($this-Sendmail), escapeshellarg($this-Sender));
395: $sendmail = sprintf(%s -oi -t, escapeshellcmd($this-Sendmail));
7. VENDOR
vTiger Development Team
http://www.vtiger.com/
8. CREDIT
This vulnerability was discovered by Aung Khant, http://yehg.net, YGN
Ethical Hacker Group, Myanmar.
9. DISCLOSURE TIME-LINE
2010-12-08: notified vendor
2011-10-05: no fixed version released yet
2011-10-05: vulnerability disclosed
10. REFERENCES
Original Advisory URL:
http://yehg.net/lab/pr0js/advisories/%5BvTiger_5.2.1%5D_rce
Wiki VtigerCRM: https://secure.wikimedia.org/wikipedia/en/wiki/Vtiger_CRM
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3215
#yehg [2011-10-05]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
