Even More Vulnerabilities in VTiger CRM

SEC-CONSULT Security Advisory < 20051125-0 >

=======================================================================

title: Even More Vulnerabilities in VTiger CRM

program: vtiger CRM

vulnerable version: 4.2 and earlier

homepage: www.vtiger.com

found: 2005-11-06

by: D. Fabian / SEC-CONSULT / www.sec-consult.com

=======================================================================

 

Vendor Description:

---------------

 

vtiger CRM is an Open Source CRM software mainly for small and medium

businesses. vtiger CRM is built over proven, fast, and reliable LAMP/WAMP

(Linux/Windows, Apache, MySQL, and PHP) technologies and other open

source projects.

 

vtiger CRM leverages the benefits of Open Source software and adds more

value to the end-users by providing many enterprise features, such as

sales force automation, customer support & service, marketing automation,

inventory management, multiple database support, security management,

product customization, calendaring, E-mail integration, add-ons, and

others.

 

[Source: www.vtiger.com]

 

 

Vulnerabilty Overview:

---------------

 

A short security analysis of the CRM system revealed multiple serious

vulnerabilities that might result in:

- administrator account takeover,

- cookie/session information theft,

- database manipulation (reading & deleting data),

- remote code execution.

 

The following classes of security vulnerabilities have been found:

- SQL Injection

- Cross Site Scripting

- Path Traversal/File Disclosure

- Code Execution

- Arbitrary File Upload

 

It seems that Christopher Kunz from the hardened-php project

independently also discovered some of the exploits described in this

advisory. Since they released their advisory without a patch being

available, customer risk is already high and we'd like to add the

results of our research.

 

 

Vulnerability Details:

---------------

 

### Multiple SQL Injection Vulnerabilities

Practically all SQL statements in vtiger CRM are vulnerable to SQL

injection. Most seriously, the login form is vulnerable, and can be

tricked into logging in as administrator by supplying the form with a

username like "admin' or '1'='1" and an arbitrary password.

But also the record parameter is vulnerable to SQL injection and can be

used to delete or read data (e.g. index.php?action=EditView&module=

Contacts&record=15+or+1=1&return_module=Contacts&return_action=index).

Noteably, these attacks also work if the "magic_quote" parameter in

php.ini is set to "on".

 

### Cross Site Scripting

Just like with SQL Injection, most parameters are vulnerable to XSS.

Most seriously however, the values stored in the database are also not

filtered for HTML tags. Thus it is possible to create for example a new

account with a name like "<script>alert(123)</script>". Whenever another

user has a look at the list of accounts, the javascript is executed. This

allows an attacker to collect cookies from other users to subsequently

perform session highjacking attacks.

 

### Path Traversal/File Disclosure

Multiple parameters are vulnerable to file disclosure attacks. These

attacks are based on unchecked user input being used in "include" or

"require" php functions. On the one hand, this allows an attacker to

disclose arbitrary files from the webserver. On the other hand, in

conjunction with the file upload functionality, the flaw can be used to

perform remote command execution, by simply uploading a file containing

php code and including it using the following attacks:

index.php?module=../../../../../../../etc/hosts%00&action=index&record=
index.php?module=Leads&action=../../../../../../etc/hosts%00&record=

 

These attacks can also be performed even if the php parameter

magic_quotes is "on".

 

 

### Remote Code Execution

The file given by the parameter "templatename" is parsed and its input is

passed to eval() without any prior validation.

 

Example:

index.php?module=Users&action=TemplateMerge&templatename=

/path/to/malicious/uploaded/file

 

 

### Arbitrary File Upload

Using the URL index.php?module=uploads&action=add2db it is possible to

upload arbitrary files, including files with the .php extension,

resulting in arbitrary code execution.

 

Additional Comments:

---------------

 

This advisory is by no means a complete listing of all vulnerabilities in

vtiger CRM. It is very likely that there is quite a number of more flaws.

We'd like to stretch that our research was conducted independently and

without knowledge of Christopher Kunz's results. Since it's a first come

first serve world, credits for a subset of the flaws described in this

advisory go to him.

 

 

Vulnerable Versions:

---------------

 

All of the above vulnerabilities have been found in vtiger CRM version

4.2. Earlier versions are very likely also vulnerable to the described

attacks.

 

 

Recommended Fix:

---------------

 

In our opinion it is currently impossible to deploy a secure installation

of vtiger CRM without major changes to the source code. As a very limited

workaround apply directory authentication (e.g. htaccess) in order to at

least allow only authorized users access to the application. However this

of course won't keep authorized users from applying the exploits and

gaining administrative access to vtiger.

 

 

Vendor status:

---------------

vendor notified: 2005-11-09

vendor response: 2005-11-23

patch available: According to vendor a fixed version 4.5 alpha is going

to be released by the end of this week. As Christopher Kunz from the

hardened-php project already published the exploits they found, the

additional risk for customers caused by this advisory is negligible.

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Unternehmensberatung GmbH

 

Office Vienna

Blindengasse 3

A-1080 Wien

Austria

 

Tel.: +43 / 1 / 409 0307 - 570

Fax.: +43 / 1 / 409 0307 - 590

Mail: office at sec-consult dot com

www.sec-consult.com

 

EOF Daniel Fabian / @2005

d.fabian at sec-consult dot com