SEC-CONSULT Security Advisory < 20051125-0 > ======================================================================= title: Even More Vulnerabilities in VTiger CRM program: vtiger CRM vulnerable version: 4.2 and earlier homepage: http://www.vtiger.com found: 2005-11-06 by: D. Fabian / SEC-CONSULT / www.sec-consult.com ======================================================================= Vendor Description: --------------- vtiger CRM is an Open Source CRM software mainly for small and medium businesses. vtiger CRM is built over proven, fast, and reliable LAMP/WAMP (Linux/Windows, Apache, MySQL, and PHP) technologies and other open source projects. vtiger CRM leverages the benefits of Open Source software and adds more value to the end-users by providing many enterprise features, such as sales force automation, customer support & service, marketing automation, inventory management, multiple database support, security management, product customization, calendaring, E-mail integration, add-ons, and others. [Source: www.vtiger.com] Vulnerabilty Overview: --------------- A short security analysis of the CRM system revealed multiple serious vulnerabilities that might result in: - administrator account takeover, - cookie/session information theft, - database manipulation (reading & deleting data), - remote code execution. The following classes of security vulnerabilities have been found: - SQL Injection - Cross Site Scripting - Path Traversal/File Disclosure - Code Execution - Arbitrary File Upload It seems that Christopher Kunz from the hardened-php project independently also discovered some of the exploits described in this advisory. Since they released their advisory without a patch being available, customer risk is already high and we'd like to add the results of our research. Vulnerability Details: --------------- ### Multiple SQL Injection Vulnerabilities Practically all SQL statements in vtiger CRM are vulnerable to SQL injection. Most seriously, the login form is vulnerable, and can be tricked into logging in as administrator by supplying the form with a username like "admin' or '1'='1" and an arbitrary password. But also the record parameter is vulnerable to SQL injection and can be used to delete or read data (e.g. index.php?action=EditView&module= Contacts&record=15+or+1=1&return_module=Contacts&return_action=index). Noteably, these attacks also work if the "magic_quote" parameter in php.ini is set to "on". ### Cross Site Scripting Just like with SQL Injection, most parameters are vulnerable to XSS. Most seriously however, the values stored in the database are also not filtered for HTML tags. Thus it is possible to create for example a new account with a name like "". Whenever another user has a look at the list of accounts, the javascript is executed. This allows an attacker to collect cookies from other users to subsequently perform session highjacking attacks. ### Path Traversal/File Disclosure Multiple parameters are vulnerable to file disclosure attacks. These attacks are based on unchecked user input being used in "include" or "require" php functions. On the one hand, this allows an attacker to disclose arbitrary files from the webserver. On the other hand, in conjunction with the file upload functionality, the flaw can be used to perform remote command execution, by simply uploading a file containing php code and including it using the following attacks: index.php?module=../../../../../../../etc/hosts%00&action=index&record= index.php?module=Leads&action=../../../../../../etc/hosts%00&record= These attacks can also be performed even if the php parameter magic_quotes is "on". ### Remote Code Execution The file given by the parameter "templatename" is parsed and its input is passed to eval() without any prior validation. Example: index.php?module=Users&action=TemplateMerge&templatename= /path/to/malicious/uploaded/file ### Arbitrary File Upload Using the URL index.php?module=uploads&action=add2db it is possible to upload arbitrary files, including files with the .php extension, resulting in arbitrary code execution. Additional Comments: --------------- This advisory is by no means a complete listing of all vulnerabilities in vtiger CRM. It is very likely that there is quite a number of more flaws. We'd like to stretch that our research was conducted independently and without knowledge of Christopher Kunz's results. Since it's a first come first serve world, credits for a subset of the flaws described in this advisory go to him. Vulnerable Versions: --------------- All of the above vulnerabilities have been found in vtiger CRM version 4.2. Earlier versions are very likely also vulnerable to the described attacks. Recommended Fix: --------------- In our opinion it is currently impossible to deploy a secure installation of vtiger CRM without major changes to the source code. As a very limited workaround apply directory authentication (e.g. htaccess) in order to at least allow only authorized users access to the application. However this of course won't keep authorized users from applying the exploits and gaining administrative access to vtiger. Vendor status: --------------- vendor notified: 2005-11-09 vendor response: 2005-11-23 patch available: According to vendor a fixed version 4.5 alpha is going to be released by the end of this week. As Christopher Kunz from the hardened-php project already published the exploits they found, the additional risk for customers caused by this advisory is negligible. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Unternehmensberatung GmbH Office Vienna Blindengasse 3 A-1080 Wien Austria Tel.: +43 / 1 / 409 0307 - 570 Fax.: +43 / 1 / 409 0307 - 590 Mail: office at sec-consult dot com www.sec-consult.com EOF Daniel Fabian / @2005 d.fabian at sec-consult dot com