lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CAEJizbYuyj1nvfcJ9Bs=9Bqsi8dOFuS-kdTXwo6zAW56=Z2uyA@mail.gmail.com>
Date: Wed, 5 Oct 2011 11:05:39 +0100
From: Benji <me@...ji.com>
To: YGN Ethical Hacker Group <lists@...g.net>
Cc: vuln@...urity.nnov.ru, vuln <vuln@...unia.com>, news@...uriteam.com,
	secalert@...urityreason.com, bugs@...uritytracker.com,
	full-disclosure <full-disclosure@...ts.grok.org.uk>,
	bugtraq <bugtraq@...urityfocus.com>,
	submissions@...ketstormsecurity.org, moderators@...db.org
Subject: Re: vTiger CRM 5.2.x <= Remote Code Execution
	Vulnerability

and where in vTiger is this manipulatable from?

On Wed, Oct 5, 2011 at 11:02 AM, YGN Ethical Hacker Group <lists@...g.net>wrote:

> vTiger CRM 5.2.x <= Remote Code Execution Vulnerability
>
>
> 1. OVERVIEW
>
> The vTiger CRM 5.2.1 and lower versions are vulnerable to Remote Code
> Execution. No fixed version has been released as of 2011-10-05.
>
>
> 2. BACKGROUND
>
> vtiger CRM is a free, full-featured, 100% Open Source CRM software
> ideal for small and medium businesses, with low-cost product support
> available to production users that need reliable support. vtiger CRM
> is a widely used product with thousands of users in dozens of
> countries.  It has a vibrant community of users driving the product
> forward, and contributing to it's development.  Over 2 million copies
> of vtiger CRM have been downloaded so far. It was launched as a fork
> of version 1.0 of the SugarCRM project launched on December 31st,
> 2004.
>
>
> 3. VULNERABILITY DESCRIPTION
>
> vTiger uses the vulnerable version of phpmailer class file located at
> /cron/class.phpmailer.php .
>
>
> 4. VERSIONS AFFECTED
>
> Tested on 5.2.1
>
>
> 5. PROOF-OF-CONCEPT/EXPLOIT
>
> File: /cron/class.phpmailer.php
> [code]
>
> 391:    function SendmailSend($header, $body) {
> 392:    if ($this->Sender != "")
> 393:       $sendmail = sprintf("%s -oi -f %s -t", $this->Sendmail,
> $this->Sender);
> 394:    else
> 395:       $sendmail = sprintf("%s -oi -t", $this->Sendmail);
>
> [/code]
>
>
> 6. SOLUTION
>
> The vendor hasn't attempted to incorporate the latest version of
> phpMailer class in their vTigerCRM as of version 5.2.1.
>
> The flawed code portion can be patched with:
>
> 393: $sendmail = sprintf("%s -oi -f %s -t",
> escapeshellcmd($this->Sendmail), escapeshellarg($this->Sender));
> 395: $sendmail = sprintf("%s -oi -t", escapeshellcmd($this->Sendmail));
>
>
> 7. VENDOR
>
> vTiger Development Team
> http://www.vtiger.com/
>
>
> 8. CREDIT
>
> This vulnerability was discovered by Aung Khant, http://yehg.net, YGN
> Ethical Hacker Group, Myanmar.
>
>
> 9. DISCLOSURE TIME-LINE
>
> 2010-12-08: notified vendor
> 2011-10-05: no fixed version released yet
> 2011-10-05: vulnerability disclosed
>
>
> 10. REFERENCES
>
> Original Advisory URL:
> http://yehg.net/lab/pr0js/advisories/%5BvTiger_5.2.1%5D_rce
> Wiki VtigerCRM: https://secure.wikimedia.org/wikipedia/en/wiki/Vtiger_CRM
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3215
>
> #yehg [2011-10-05]
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ