lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <51F9F8F1.1020402@karmainsecurity.com>
Date: Thu, 01 Aug 2013 07:58:09 +0200
From: Egidio Romano <research@...mainsecurity.com>
To: bugtraq@...urityfocus.com
Subject: [KIS-2013-07] vtiger CRM <= 5.4.0 (vtigerolservice.php) PHP Code
 Injection Vulnerability

--------------------------------------------------------------------------
vtiger CRM <= 5.4.0 (vtigerolservice.php) PHP Code Injection Vulnerability
--------------------------------------------------------------------------


[-] Software Link:

http://www.vtiger.com/


[-] Affected Versions:

All versions from 5.0.0 to 5.4.0.


[-] Vulnerability Description:

The vulnerable code is located in the AddEmailAttachment SOAP method defined in /soap/vtigerolservice.php:

458.	function AddEmailAttachment($emailid,$filedata,$filename,$filesize,$filetype,$username,$session)
459.	{
460.		if(!validateSession($username,$session))
461.		return null;
462.		global $adb;
463.		require_once('modules/Users/Users.php');
464.		require_once('include/utils/utils.php');
465.		$filename = preg_replace('/\s+/', '_', $filename);//replace space with _ in filename
466.		$date_var = date('Y-m-d H:i:s');
467.	
468.		$seed_user = new Users();
469.		$user_id = $seed_user->retrieve_user_id($username);
470.	
471.		$crmid = $adb->getUniqueID("vtiger_crmentity");
472.	
473.		$upload_file_path = decideFilePath();
474.	
475.		$handle = fopen($upload_file_path.$crmid."_".$filename,"wb");
476.		fwrite($handle,base64_decode($filedata),$filesize);
477.		fclose($handle);

The vulnerability exists because this method fails to properly validate input passed through the "filedata" and
"filename" parameters, which are used to write an "email attachment" in the storage directory (lines 475-477).
This can be exploited to write (or overwrite) files with any content, resulting in execution of arbitrary PHP code.


[-] Solution:

The patch provided by the vendor (http://www.vtiger.com/blogs/?p=1467) doesn't fix completely this
vulnerability, because a remote authenticated user can still be able to inject and execute arbitrary code.

[*] The vendor was alerted about this when the feedback has been provided.


[-] Disclosure Timeline:

[13/01/2013] - Vendor notified
[06/02/2013] - Vendor asked feedback abouthttp://trac.vtiger.com/cgi-bin/trac.cgi/changeset/13848
[05/03/2013] - Feedback provided to the vendor [*]
[26/03/2013] - Vendor patch released
[18/04/2013] - CVE number requested
[20/04/2013] - CVE number assigned
[01/08/2013] - Public disclosure


[-] CVE Reference:

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2013-3214 to this vulnerability.


[-] Credits:

Vulnerability discovered by Egidio Romano.


[-] Original Advisory:

http://karmainsecurity.com/KIS-2013-07


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ