lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Thu, 01 Aug 2013 07:58:22 +0200
From: Egidio Romano <research@...mainsecurity.com>
To: bugtraq@...urityfocus.com
Subject: [KIS-2013-08] vtiger CRM <= 5.4.0 (SOAP Services) Authentication
 Bypass Vulnerability

-----------------------------------------------------------------------
vtiger CRM <= 5.4.0 (SOAP Services) Authentication Bypass Vulnerability
-----------------------------------------------------------------------


[-] Software Link:

http://www.vtiger.com/


[-] Affected Versions:

All versions from 5.1.0 to 5.4.0.


[-] Vulnerability Description:

The vulnerable code is located in the validateSession() function, which is defined in multiple SOAP services:

function validateSession($username, $sessionid)
{
     global $adb,$current_user;
     $adb->println("Inside function validateSession($username, $sessionid)");
     require_once("modules/Users/Users.php");
     $seed_user = new Users();
     $id = $seed_user->retrieve_user_id($username);
  
     $server_sessionid = getServerSessionId($id);
  
     $adb->println("Checking Server session id and customer input session id ==> $server_sessionid == $sessionid");
  
     if($server_sessionid == $sessionid)
     {
         $adb->println("Session id match. Authenticated to do the current operation.");
         return true;
     }
     else
     {
         $adb->println("Session id does not match. Not authenticated to do the current operation.");
         return false;
     }
}

The vulnerability exists because the "sessionid" parameter isn't properly validated before being
compared with the $server_sessionid variable, which is the value returned by the getServerSessionId()
function. If called with an invalid session ID, then this function will return "null", in this case the
validateSession() will return "true" if the "sessionid" parameter is set to 0, "false", or "null". An
attacker can exploit this flaw to bypass the authentication mechanism, e.g. by calling a SOAP method
without providing the "username" and "sessionid" parameters.


[-] Solution:

Apply the vendor patch:http://www.vtiger.com/blogs/?p=1467


[-] Disclosure Timeline:

[13/01/2013] - Vendor notified
[06/02/2013] - Vendor asked feedback abouthttp://trac.vtiger.com/cgi-bin/trac.cgi/changeset/13848
[05/03/2013] - Feedback provided to the vendor
[26/03/2013] - Vendor patch released
[18/04/2013] - CVE number requested
[20/04/2013] - CVE number assigned
[01/08/2013] - Public disclosure


[-] CVE Reference:

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2013-3215 to this vulnerability.


[-] Credits:

Vulnerability discovered by Egidio Romano.


[-] Original Advisory:

http://karmainsecurity.com/KIS-2013-08

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ