lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAPYM6VzmkH+zdqd-dsHZt-OtTgs7sgZT3=5d3CRVqEdQk-TU8g@mail.gmail.com> Date: Wed, 5 Oct 2011 18:02:30 +0800 From: YGN Ethical Hacker Group <lists@...g.net> To: full-disclosure <full-disclosure@...ts.grok.org.uk>, bugtraq <bugtraq@...urityfocus.com>, secalert@...urityreason.com, bugs@...uritytracker.com, vuln <vuln@...unia.com>, vuln@...urity.nnov.ru, news@...uriteam.com, moderators@...db.org, submissions@...ketstormsecurity.org Subject: vTiger CRM 5.2.x <= Remote Code Execution Vulnerability vTiger CRM 5.2.x <= Remote Code Execution Vulnerability 1. OVERVIEW The vTiger CRM 5.2.1 and lower versions are vulnerable to Remote Code Execution. No fixed version has been released as of 2011-10-05. 2. BACKGROUND vtiger CRM is a free, full-featured, 100% Open Source CRM software ideal for small and medium businesses, with low-cost product support available to production users that need reliable support. vtiger CRM is a widely used product with thousands of users in dozens of countries. It has a vibrant community of users driving the product forward, and contributing to it's development. Over 2 million copies of vtiger CRM have been downloaded so far. It was launched as a fork of version 1.0 of the SugarCRM project launched on December 31st, 2004. 3. VULNERABILITY DESCRIPTION vTiger uses the vulnerable version of phpmailer class file located at /cron/class.phpmailer.php . 4. VERSIONS AFFECTED Tested on 5.2.1 5. PROOF-OF-CONCEPT/EXPLOIT File: /cron/class.phpmailer.php [code] 391: function SendmailSend($header, $body) { 392: if ($this->Sender != "") 393: $sendmail = sprintf("%s -oi -f %s -t", $this->Sendmail, $this->Sender); 394: else 395: $sendmail = sprintf("%s -oi -t", $this->Sendmail); [/code] 6. SOLUTION The vendor hasn't attempted to incorporate the latest version of phpMailer class in their vTigerCRM as of version 5.2.1. The flawed code portion can be patched with: 393: $sendmail = sprintf("%s -oi -f %s -t", escapeshellcmd($this->Sendmail), escapeshellarg($this->Sender)); 395: $sendmail = sprintf("%s -oi -t", escapeshellcmd($this->Sendmail)); 7. VENDOR vTiger Development Team http://www.vtiger.com/ 8. CREDIT This vulnerability was discovered by Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 9. DISCLOSURE TIME-LINE 2010-12-08: notified vendor 2011-10-05: no fixed version released yet 2011-10-05: vulnerability disclosed 10. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/%5BvTiger_5.2.1%5D_rce Wiki VtigerCRM: https://secure.wikimedia.org/wikipedia/en/wiki/Vtiger_CRM https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3215 #yehg [2011-10-05]
Powered by blists - more mailing lists