RETIRED: vtiger CRM 'module_name' Parameter Local File Include Vulnerability
BID:52671
Info
RETIRED: vtiger CRM 'module_name' Parameter Local File Include Vulnerability
| Bugtraq ID: | 52671 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Mar 21 2012 12:00AM |
| Updated: | Apr 26 2012 03:30PM |
| Credit: | Pi3rrot |
| Vulnerable: |
vtiger vtiger CRM 5.1 |
| Not Vulnerable: | |
Discussion
RETIRED: vtiger CRM 'module_name' Parameter Local File Include Vulnerability
vtiger CRM is prone to a local file-include vulnerability because it fails to sufficiently sanitize user-supplied input.
An attacker can exploit this vulnerability to view files and execute local scripts in the context of the webserver process. This may aid in further attacks.
vtiger CRM 5.1.0 is vulnerable; other versions may also be affected.
This BID is being retired as a duplicate of BID 47263 (vtiger CRM 'sortfieldsjson.php' Local File Include Vulnerability).
vtiger CRM is prone to a local file-include vulnerability because it fails to sufficiently sanitize user-supplied input.
An attacker can exploit this vulnerability to view files and execute local scripts in the context of the webserver process. This may aid in further attacks.
vtiger CRM 5.1.0 is vulnerable; other versions may also be affected.
This BID is being retired as a duplicate of BID 47263 (vtiger CRM 'sortfieldsjson.php' Local File Include Vulnerability).
Exploit / POC
RETIRED: vtiger CRM 'module_name' Parameter Local File Include Vulnerability
An attacker can exploit this issue using a browser.
The following example URI is available:
http://www.example.com/vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=../../../../../../../../etc/passwd%00
An attacker can exploit this issue using a browser.
The following example URI is available:
http://www.example.com/vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=../../../../../../../../etc/passwd%00
Solution / Fix
RETIRED: vtiger CRM 'module_name' Parameter Local File Include Vulnerability
Solution:
Currently we are not aware of any vendor-supplied patches. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Solution:
Currently we are not aware of any vendor-supplied patches. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
References
RETIRED: vtiger CRM 'module_name' Parameter Local File Include Vulnerability
References:
References:
- vtiger CRM Homepage (vtiger)