SEC-CONSULT Security Advisory < 20051125-0 >
=======================================================================
                  title: Even More Vulnerabilities in VTiger CRM
                program: vtiger CRM
     vulnerable version: 4.2 and earlier
               homepage: http://www.vtiger.com
                  found: 2005-11-06
                     by: D. Fabian / SEC-CONSULT / www.sec-consult.com
=======================================================================

Vendor Description:
---------------

vtiger CRM is an Open Source CRM software mainly for small and medium
businesses. vtiger CRM is built over proven, fast, and reliable LAMP/WAMP
(Linux/Windows, Apache, MySQL, and PHP) technologies and other open
source projects.

vtiger CRM leverages the benefits of Open Source software and adds more
value to the end-users by providing many enterprise features, such as
sales force automation, customer support & service, marketing automation,
inventory management, multiple database support, security management,
product customization, calendaring, E-mail integration, add-ons, and
others.

[Source: www.vtiger.com]


Vulnerabilty Overview:
---------------

A short security analysis of the CRM system revealed multiple serious
vulnerabilities that might result in:
 - administrator account takeover,
 - cookie/session information theft,
 - database manipulation (reading & deleting data),
 - remote code execution.

The following classes of security vulnerabilities have been found:
 - SQL Injection
 - Cross Site Scripting
 - Path Traversal/File Disclosure
 - Code Execution
 - Arbitrary File Upload

It seems that Christopher Kunz from the hardened-php project
independently also discovered some of the exploits described in this
advisory. Since they released their advisory without a patch being
available, customer risk is already high and we'd like to add the
results of our research.


Vulnerability Details:
---------------

### Multiple SQL Injection Vulnerabilities
Practically all SQL statements in vtiger CRM are vulnerable to SQL
injection. Most seriously, the login form is vulnerable, and can be
tricked into logging in as administrator by supplying the form with a
username like "admin' or '1'='1" and an arbitrary password.
But also the record parameter is vulnerable to SQL injection and can be
used to delete or read data (e.g. index.php?action=EditView&module=
Contacts&record=15+or+1=1&return_module=Contacts&return_action=index).
Noteably, these attacks also work if the "magic_quote" parameter in
php.ini is set to "on".

### Cross Site Scripting
Just like with SQL Injection, most parameters are vulnerable to XSS.
Most seriously however, the values stored in the database are also not
filtered for HTML tags. Thus it is possible to create for example a new
account with a name like "<script>alert(123)</script>". Whenever another
user has a look at the list of accounts, the javascript is executed. This
allows an attacker to collect cookies from other users to subsequently
perform session highjacking attacks.

### Path Traversal/File Disclosure
Multiple parameters are vulnerable to file disclosure attacks. These
attacks are based on unchecked user input being used in "include" or
"require" php functions. On the one hand, this allows an attacker to
disclose arbitrary files from the webserver. On the other hand, in
conjunction with the file upload functionality, the flaw can be used to
perform remote command execution, by simply uploading a file containing
php code and including it using the following attacks:

index.php?module=../../../../../../../etc/hosts%00&action=index&record=
index.php?module=Leads&action=../../../../../../etc/hosts%00&record=

These attacks can also be performed even if the php parameter
magic_quotes is "on".


### Remote Code Execution
The file given by the parameter "templatename" is parsed and its input is
passed to eval() without any prior validation.

Example:
index.php?module=Users&action=TemplateMerge&templatename=
/path/to/malicious/uploaded/file


### Arbitrary File Upload
Using the URL index.php?module=uploads&action=add2db it is possible to
upload arbitrary files, including files with the .php extension,
resulting in arbitrary code execution.

Additional Comments:
---------------

This advisory is by no means a complete listing of all vulnerabilities in
vtiger CRM. It is very likely that there is quite a number of more flaws.
We'd like to stretch that our research was conducted independently and
without knowledge of Christopher Kunz's results. Since it's a first come
first serve world, credits for a subset of the flaws described in this
advisory go to him.


Vulnerable Versions:
---------------

All of the above vulnerabilities have been found in vtiger CRM version
4.2. Earlier versions are very likely also vulnerable to the described
attacks.


Recommended Fix:
---------------

In our opinion it is currently impossible to deploy a secure installation
of vtiger CRM without major changes to the source code. As a very limited
workaround apply directory authentication (e.g. htaccess) in order to at
least allow only authorized users access to the application. However this
of course won't keep authorized users from applying the exploits and
gaining administrative access to vtiger.


Vendor status:
---------------
vendor notified: 2005-11-09
vendor response: 2005-11-23
patch available: According to vendor a fixed version 4.5 alpha is going
to be released by the end of this week. As Christopher Kunz from the
hardened-php project already published the exploits they found, the
additional risk for customers caused by this advisory is negligible.


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Unternehmensberatung GmbH

Office Vienna
Blindengasse 3
A-1080 Wien
Austria

Tel.: +43 / 1 / 409 0307 - 570
Fax.: +43 / 1 / 409 0307 - 590
Mail: office at sec-consult dot com
www.sec-consult.com

EOF Daniel Fabian / @2005
d.fabian at sec-consult dot com