Sign-up

ID

VAR-201011-0264


CVE

CVE-2010-3909


TITLE

vtiger CRM of config.template.php Vulnerable to arbitrary code execution

Trust: 0.8

sources: JVNDB: JVNDB-2010-003272

DESCRIPTION

Incomplete blacklist vulnerability in config.template.php in vtiger CRM before 5.2.1 allows remote authenticated users to execute arbitrary code by using the draft save feature in the Compose Mail component to upload a file with a .phtml extension, and then accessing this file via a direct request to the file in the storage/ directory tree. vtiger CRM is prone to a remote security vulnerability. vtiger CRM is an open source web-based customer relationship management system. There is an incomplete blacklist vulnerability in the config.template.php file in vtiger CRM versions prior to 5.2.1. ---------------------------------------------------------------------- Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM) Beta. Join the beta: http://secunia.com/products/corporate/vim/ ---------------------------------------------------------------------- TITLE: vtiger CRM Multiple Vulnerabilities SECUNIA ADVISORY ID: SA42246 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/42246/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=42246 RELEASE DATE: 2010-11-19 DISCUSS ADVISORY: http://secunia.com/advisories/42246/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/42246/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=42246 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Some vulnerabilities have been discovered in vtiger CRM, which can be exploited by malicious users to compromise a vulnerable system and by malicious people to conduct cross-site scripting attacks and disclose sensitive information. 1) An error exists in the file upload functionality due to the emails module not properly checking file names and extensions. This can be exploited to upload and execute arbitrary PHP code e.g. via ".phtml" files. 2) Input passed e.g. via the "lang_crm" parameter to phprint.php or the "current_language" parameter to graph.php is not properly verified in the "return_application_language()" function in include/utils/utils.php before being used to include files. This can be exploited to include arbitrary file from local resources via directory traversal sequences and URL-encoded NULL bytes. Successful exploitation of this vulnerability requires that "magic_quotes_gpc" is disabled. 3) Input passed via the "user_name" and "user_password" parameters to index.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. 4) Input passed via the "label" parameter to index.php (when "module" is set to "Settings" and "action" is set to "GetFieldInfo") is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. The vulnerabilities are confirmed in version 5.2.0. Other versions may also be affected. SOLUTION: Update to version 5.2.1. PROVIDED AND/OR DISCOVERED BY: Giovanni "evilaliv3" Pellerano and Alessandro "jekil" Tanasi ORIGINAL ADVISORY: vtiger CRM: http://wiki.vtiger.com/index.php/Vtiger521:Release_Notes Giovanni Pellerano and Alessandro Tanasi: http://www.ush.it/team/ush/hack-vtigercrm_520/vtigercrm_520.txt OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Trust: 2.07

sources: NVD: CVE-2010-3909 // JVNDB: JVNDB-2010-003272 // BID: 78746 // VULHUB: VHN-46514 // PACKETSTORM: 95988

AFFECTED PRODUCTS

vendor:vtigermodel:crmscope:eqversion:4

Trust: 1.9

vendor:vtigermodel:crmscope:eqversion:5.1.0

Trust: 1.9

vendor:vtigermodel:crmscope:eqversion:5.0.4

Trust: 1.9

vendor:vtigermodel:crmscope:eqversion:4.2

Trust: 1.9

vendor:vtigermodel:crmscope:eqversion:5.0.3

Trust: 1.9

vendor:vtigermodel:crmscope:eqversion:3.0

Trust: 1.6

vendor:vtigermodel:crmscope:eqversion:2.1

Trust: 1.3

vendor:vtigermodel:crmscope:eqversion:5.0.2

Trust: 1.3

vendor:vtigermodel:crmscope:eqversion:3

Trust: 1.3

vendor:vtigermodel:crmscope:eqversion:2.0

Trust: 1.3

vendor:vtigermodel:crmscope:eqversion:4.2.4

Trust: 1.3

vendor:vtigermodel:crmscope:eqversion:1.0

Trust: 1.3

vendor:vtigermodel:crmscope:eqversion:4.0.1

Trust: 1.3

vendor:vtigermodel:crmscope:eqversion:2.0.1

Trust: 1.3

vendor:vtigermodel:crmscope:eqversion:4.0

Trust: 1.3

vendor:vtigermodel:crmscope:eqversion:3.2

Trust: 1.3

vendor:vtigermodel:crmscope:eqversion:*

Trust: 1.0

vendor:vtigermodel:crmscope:lteversion:5.2.0

Trust: 1.0

vendor:vtigermodel:crmscope:eqversion:5.0.0

Trust: 1.0

vendor:vtigermodel:crmscope:eqversion:5.2.0

Trust: 0.9

vendor:vtigermodel:crmscope:ltversion:5.2.1

Trust: 0.8

vendor:vtigermodel:crmscope: - version: -

Trust: 0.6

vendor:vtigermodel:crmscope:eqversion:5

Trust: 0.3

vendor:vtigermodel:crmscope:eqversion:3.0.1

Trust: 0.3

vendor:vtigermodel:crm rc1scope:eqversion:4

Trust: 0.3

vendor:vtigermodel:crm validationscope:eqversion:4.2

Trust: 0.3

vendor:vtigermodel:crm betascope:eqversion:4

Trust: 0.3

vendor:vtigermodel:crm betascope:eqversion:3.0

Trust: 0.3

vendor:vtigermodel:crm rcscope:eqversion:5.0.4

Trust: 0.3

vendor:vtigermodel:crm rcscope:eqversion:5.1.0

Trust: 0.3

sources: BID: 78746 // JVNDB: JVNDB-2010-003272 // CNNVD: CNNVD-201011-248 // NVD: CVE-2010-3909

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2010-3909
value: MEDIUM

Trust: 1.0

NVD: CVE-2010-3909
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201011-248
value: MEDIUM

Trust: 0.6

VULHUB: VHN-46514
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2010-3909
severity: MEDIUM
baseScore: 6.0
vectorString: AV:N/AC:M/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 6.8
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-46514
severity: MEDIUM
baseScore: 6.0
vectorString: AV:N/AC:M/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 6.8
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-46514 // JVNDB: JVNDB-2010-003272 // CNNVD: CNNVD-201011-248 // NVD: CVE-2010-3909

PROBLEMTYPE DATA

problemtype:CWE-94

Trust: 1.9

sources: VULHUB: VHN-46514 // JVNDB: JVNDB-2010-003272 // NVD: CVE-2010-3909

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201011-248

TYPE

code injection

Trust: 0.6

sources: CNNVD: CNNVD-201011-248

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2010-003272

EXPLOIT AVAILABILITY
sources:
            
            
            VULHUB: VHN-46514

PATCH
title:Vtiger521:Release Notesurl:http://wiki.vtiger.com/index.php/Vtiger521:Release_Notes
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2010-003272

EXTERNAL IDS
db:NVDid:CVE-2010-3909
Trust: 2.9
db:SECUNIAid:42246
Trust: 1.8
db:JVNDBid:JVNDB-2010-003272
Trust: 0.8
db:CNNVDid:CNNVD-201011-248
Trust: 0.7
db:BUGTRAQid:20101116 VTIGER CRM 5.2.0 MULTIPLE VULNERABILITIES
Trust: 0.6
db:BIDid:78746
Trust: 0.4
db:PACKETSTORMid:95931
Trust: 0.2
db:VULHUBid:VHN-46514
Trust: 0.1
db:PACKETSTORMid:95988
Trust: 0.1
sources:
            
            
            VULHUB: VHN-46514 // 
            
            
            
            BID: 78746 // 
            
            
            
            JVNDB: JVNDB-2010-003272 // 
            
            
            
            PACKETSTORM: 95988 // 
            
            
            
            PACKETSTORM: 95931 // 
            
            
            
            CNNVD: CNNVD-201011-248 // 
            
            
            
            NVD: CVE-2010-3909

REFERENCES
url:http://www.ush.it/team/ush/hack-vtigercrm_520/vtigercrm_520.txt
Trust: 2.2
url:http://wiki.vtiger.com/index.php/vtiger521:release_notes
Trust: 2.1
url:http://vtiger.com/blogs/2010/11/16/vtiger-crm-521-is-released/
Trust: 2.0
url:http://secunia.com/advisories/42246
Trust: 1.7
url:http://www.securityfocus.com/archive/1/514846/100/0/threaded
Trust: 1.1
url:http://www.securityfocus.com/archive/1/archive/1/514846/100/0/threaded
Trust: 0.9
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2010-3909
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2010-3909
Trust: 0.8
url:http://secunia.com/products/corporate/evm/
Trust: 0.1
url:http://secunia.com/advisories/secunia_security_advisories/
Trust: 0.1
url:http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
Trust: 0.1
url:http://secunia.com/advisories/42246/#comments
Trust: 0.1
url:http://secunia.com/advisories/42246/
Trust: 0.1
url:http://secunia.com/products/corporate/vim/
Trust: 0.1
url:http://secunia.com/vulnerability_scanning/personal/
Trust: 0.1
url:https://ca.secunia.com/?page=viewadvisory&vuln_id=42246
Trust: 0.1
url:http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
Trust: 0.1
url:http://secunia.com/advisories/about_secunia_advisories/
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2010-3909
Trust: 0.1
url:http://www.tanasi.it/
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2010-3911
Trust: 0.1
url:http://www.vtigercrm.com
Trust: 0.1
url:http://127.0.0.1/vtigercrm/index.php?module=users&action=login&default_user_name
Trust: 0.1
url:http://127.0.0.1/vtigercrm/graph.php?current_language=/../[..]/../
Trust: 0.1
url:http://www.ush.it/team/ush/hack-vtigercrm_504/vtigercrm_504.txt
Trust: 0.1
url:http://www.ush.it/,
Trust: 0.1
url:http://www.evilaliv3.org/
Trust: 0.1
url:http://secunia.com/
Trust: 0.1
url:http://127.0.0.1/vtigercrm/phprint.php?lang_crm=/../[..]/../
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2010-3910
Trust: 0.1
url:http://127.0.0.1/vtigercrm/index.php?module=settings&action=getfieldinfo&label
Trust: 0.1
url:http://lists.grok.org.uk/full-disclosure-charter.html
Trust: 0.1
sources:
            
            
            VULHUB: VHN-46514 // 
            
            
            
            BID: 78746 // 
            
            
            
            JVNDB: JVNDB-2010-003272 // 
            
            
            
            PACKETSTORM: 95988 // 
            
            
            
            PACKETSTORM: 95931 // 
            
            
            
            CNNVD: CNNVD-201011-248 // 
            
            
            
            NVD: CVE-2010-3909

CREDITS
Unknown
Trust: 0.3
sources:
            
            
            BID: 78746

SOURCES
db:VULHUBid:VHN-46514
db:BIDid:78746
db:JVNDBid:JVNDB-2010-003272
db:PACKETSTORMid:95988
db:PACKETSTORMid:95931
db:CNNVDid:CNNVD-201011-248
db:NVDid:CVE-2010-3909

LAST UPDATE DATE
2025-04-11T23:04:23.970000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-46514date:2018-10-30T00:00:00
db:BIDid:78746date:2010-11-26T00:00:00
db:JVNDBid:JVNDB-2010-003272date:2012-03-27T00:00:00
db:CNNVDid:CNNVD-201011-248date:2010-11-30T00:00:00
db:NVDid:CVE-2010-3909date:2025-04-11T00:51:21.963

SOURCES RELEASE DATE
db:VULHUBid:VHN-46514date:2010-11-26T00:00:00
db:BIDid:78746date:2010-11-26T00:00:00
db:JVNDBid:JVNDB-2010-003272date:2012-03-27T00:00:00
db:PACKETSTORMid:95988date:2010-11-19T06:21:45
db:PACKETSTORMid:95931date:2010-11-18T00:23:11
db:CNNVDid:CNNVD-201011-248date:2010-11-30T00:00:00
db:NVDid:CVE-2010-3909date:2010-11-26T20:00:03.877