and where in vTiger is this manipulatable from?<br><br><div class="gmail_quote">On Wed, Oct 5, 2011 at 11:02 AM, YGN Ethical Hacker Group <span dir="ltr"><<a href="mailto:lists@yehg.net">lists@yehg.net</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">vTiger CRM 5.2.x <= Remote Code Execution Vulnerability<br>
<br>
<br>
1. OVERVIEW<br>
<br>
The vTiger CRM 5.2.1 and lower versions are vulnerable to Remote Code<br>
Execution. No fixed version has been released as of 2011-10-05.<br>
<br>
<br>
2. BACKGROUND<br>
<br>
vtiger CRM is a free, full-featured, 100% Open Source CRM software<br>
ideal for small and medium businesses, with low-cost product support<br>
available to production users that need reliable support. vtiger CRM<br>
is a widely used product with thousands of users in dozens of<br>
countries. It has a vibrant community of users driving the product<br>
forward, and contributing to it's development. Over 2 million copies<br>
of vtiger CRM have been downloaded so far. It was launched as a fork<br>
of version 1.0 of the SugarCRM project launched on December 31st,<br>
2004.<br>
<br>
<br>
3. VULNERABILITY DESCRIPTION<br>
<br>
vTiger uses the vulnerable version of phpmailer class file located at<br>
/cron/class.phpmailer.php .<br>
<br>
<br>
4. VERSIONS AFFECTED<br>
<br>
Tested on 5.2.1<br>
<br>
<br>
5. PROOF-OF-CONCEPT/EXPLOIT<br>
<br>
File: /cron/class.phpmailer.php<br>
[code]<br>
<br>
391: function SendmailSend($header, $body) {<br>
392: if ($this->Sender != "")<br>
393: $sendmail = sprintf("%s -oi -f %s -t", $this->Sendmail,<br>
$this->Sender);<br>
394: else<br>
395: $sendmail = sprintf("%s -oi -t", $this->Sendmail);<br>
<br>
[/code]<br>
<br>
<br>
6. SOLUTION<br>
<br>
The vendor hasn't attempted to incorporate the latest version of<br>
phpMailer class in their vTigerCRM as of version 5.2.1.<br>
<br>
The flawed code portion can be patched with:<br>
<br>
393: $sendmail = sprintf("%s -oi -f %s -t",<br>
escapeshellcmd($this->Sendmail), escapeshellarg($this->Sender));<br>
395: $sendmail = sprintf("%s -oi -t", escapeshellcmd($this->Sendmail));<br>
<br>
<br>
7. VENDOR<br>
<br>
vTiger Development Team<br>
<a href="http://www.vtiger.com/" target="_blank">http://www.vtiger.com/</a><br>
<br>
<br>
8. CREDIT<br>
<br>
This vulnerability was discovered by Aung Khant, <a href="http://yehg.net" target="_blank">http://yehg.net</a>, YGN<br>
Ethical Hacker Group, Myanmar.<br>
<br>
<br>
9. DISCLOSURE TIME-LINE<br>
<br>
2010-12-08: notified vendor<br>
2011-10-05: no fixed version released yet<br>
2011-10-05: vulnerability disclosed<br>
<br>
<br>
10. REFERENCES<br>
<br>
Original Advisory URL:<br>
<a href="http://yehg.net/lab/pr0js/advisories/%5BvTiger_5.2.1%5D_rce" target="_blank">http://yehg.net/lab/pr0js/advisories/%5BvTiger_5.2.1%5D_rce</a><br>
Wiki VtigerCRM: <a href="https://secure.wikimedia.org/wikipedia/en/wiki/Vtiger_CRM" target="_blank">https://secure.wikimedia.org/wikipedia/en/wiki/Vtiger_CRM</a><br>
<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3215" target="_blank">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3215</a><br>
<br>
#yehg [2011-10-05]<br>
<br>
_______________________________________________<br>
Full-Disclosure - We believe in it.<br>
Charter: <a href="http://lists.grok.org.uk/full-disclosure-charter.html" target="_blank">http://lists.grok.org.uk/full-disclosure-charter.html</a><br>
Hosted and sponsored by Secunia - <a href="http://secunia.com/" target="_blank">http://secunia.com/</a><br>
</blockquote></div><br>