IMPORTANT: Webforms Security: Please inform me..

Comments

• 11 Comments sorted by Votes Date Added
• prasad.a

  January 2009 Vote Up0Vote Down

  hi effgee,
  
  our webform implementation is very basic right now. we are planning to enhance the feature in the upcoming release.
  
  regards,
  prasad
  vtiger team
• effgee

  January 2009 Vote Up0Vote Down

  hello prassad,
  
  yes, i realize it is very basic.
  i have just recently added more fields and a captcha to my forms, but realized the backend doesn't seem to have any security.
  i assume you are in agreement with my observations.
  
  i would like to put my own check or password based auth into the backend so that it is actually secure.
  
  i am a new programmer, and i would appreciate any pointers on which file (probably in the soap backend) i would need to add the password check.
  i already have added session based checking for variable holding so it should be trivial to pass a token or key.
  i just don't know the code well enough to understand where the data gets passed to.
• prasad.a

  January 2009 Vote Up0Vote Down

  hi effgee,
  
  the data gets passed on to vtigercrm/soap/webforms.php , which handles soap request from webforms.
  
  please do keep us updated with your modifications.
  
  thank you,
  prasad
  vtiger team
• effgee

  January 2009 Vote Up0Vote Down

  i have a possible work around for the security issues.
  first i will start with my current modifications.
  
  *** features ***
  
  more entry fields
  
  firstname *required
  lastname *required
  company *required
  email * required
  phone
  street
  city
  country
  description
  
  recapture spam protection
  
  email notification of webform submittal
  the email notification code was borrowed from another forum post i found earlier.
  
  my modifications involve these files.
  
  /webforms/lead/index.php
  

  <?php
  session_start(); 
  
  ?>
  <?php
  /*********************************************************************************
  ** the contents of this file are subject to the vtiger crm public license version 1.0
   * ("license"); you may not use this file except in compliance with the license
   * the original code is:  vtiger crm open source
   * the initial developer of the original code is vtiger.
   * portions created by vtiger are copyright (c) vtiger.
   * all rights reserved.
  *
   ********************************************************************************/
  
  if($error_message != '')
     echo '<span class="form_error">'.$error_message.'</span>';
  
  require_once('config.php');
  global $default_charset;
  
  // recapture begin
  require_once('recaptchalib.php');
  $publickey = " "; // your recaptcha public key, you got this from the signup page - sign up here: http://recaptcha.net/whyrecaptcha.html
  //recapture end
  
  ?>
  <!doctype html public "-//w3c//dtd html 4.01//en">
  <html>
  <head>
  <meta http-equiv="content-type" content="text/html; charset=<?php echo $default_charset ?>">
  <script type="text/javascript" language="javascript" src="/webforms/lead/validateform.js"></script>
  <link href="form.css" rel="stylesheet" type="text/css">
  </head>
  <body>
  <form name="leadform" method="post" action="send_data.php">
    <input type="hidden" name="create" value="lead">
    <div id="shadow-container">
      <div class="shadow1">
        <div class="shadow2">
          <div class="shadow3">
            <div class="container">
              <table width="95%" border="0" cellspacing="2" cellpadding="2">
                <tr>
                  <td width="300"><p>fields marked with <font color="#ff0000" size="+2"><strong>*</strong></font> <strong>are mandatory</strong>.
                    <p>all other fields are optional.
                    <table width="100%" border="0" cellspacing="2" cellpadding="2">
                      <tr>
                        <td width="100%"><p align="right"><span> <font color="#ff0000" size="+2"><strong>*</strong></font><strong>first name:</strong>
                            <input type="text" name="firstname" id="first_name" class="inputtext" size="30" maxlength="100" value="<?php echo $_session['firstname']?>" />
                            </span></p>
                          <p align="right"><span><font color="#ff0000" size="+2"><strong>*</strong></font><strong>last name:</strong>
                            <input type="text" name="lastname" id="last_name" class="inputtext" size="30" maxlength="100" value="<?php echo $_session['lastname']?>" />
                            </span></p>
                          <p align="right"><span><font color="#ff0000" size="+2"><strong>*</strong></font><strong>company:</strong>
                            <input type="text" name="company" id="company" class="inputtext" size="30" maxlength="100" value="<?php echo $_session['company']?>">
                            </span></p>
                          <p align="right"><font color="#ff0000" size="+2"><strong>*</strong></font><span><strong>email</strong>:
                            <input type="text" name="email" id="email" class="inputtext" size="30" maxlength="100" value="<?php echo $_session['email']?>" />
                            </span></p>
                          <p align="right"> <span>telephone:
                            <input type="text" name="phone" id="phone" class="inputtext" size="30" maxlength="30" value="<?php echo $_session['phone']?>">
                            </span></p>
                          <p align="right"> <span>address:
                            <input type="text" name="street" id="street" class="inputtext" size="30" maxlength="100" value="<?php echo $_session['street']?>" />
                            </span></p>
                          <p align="right"> <span>city:
                            <input type="text" name="city" id="city" class="inputtext" size="30" maxlength="100" value="<?php echo $_session['city']?>" />
                            </span></p>
                          <p align="right"> <span>country:
                            <input type="text" name="country" id="country" class="inputtext" size="30" maxlength="100" value="<?php echo $_session['country']?>" />
                            </span> <span> </span> 
                          <span><br>
                          <p align="center"><strong>message:</strong></p>
                          <p align="right">
                            <textarea name="description" rows="4" cols="32"><?php echo $_session['description']?></textarea>
                          </p>
                          </span> <span >
                          <p align="center">
                            <input type="button" name="submit" value="submit »" class="inputsubmit" onclick="validateform();">
                            <input name="" type="reset" class="inputsubmit" onclick="<?php session_destroy();?>
  window.location.reload();return false;"  value="clear" />
                          </p>
                          </span> </td>
                      </tr>
                    </table></td>
                  <td width="*"><table width="100%" border="0" cellspacing="2" cellpadding="2">
                      <tr>
                        <td><div id="shadow-container">
                            <div class="shadow1">
                              <div class="shadow2">
                                <div class="shadow3">
                                  <div class="container">
                                    <h3>company information</h3>
                                    <hr />
                                    <br />
                                    company name <br />
                                    address line 1<br />
                                    address line 2<br />
                                    <br />
                                    tel: <br />
                                    fax: <br />
                                    email: <a href="mailto:info@companyname.com">info@companyname.com</a></div>
                                </div>
                              </div>
                            </div>
                          </div></td>
                      </tr>
                      <tr>
                        <td><div class="optional"> <?php echo recaptcha_get_html($publickey)?> </div></td>
                      </tr>
                    </table></td>
                </tr>
              </table>
            </div>
          </div>
        </div>
      </div>
    </div>
  </form>
  </body>
  </html>
  

  
  
  
  /webforms/lead/send_data.php
  

  <?php
  // this starts the session
  session_start();
  
  // this sets variables in the session
  $_session['firstname']=$_post['firstname'];
  $_session['lastname']=$_post['lastname'];
  $_session['company']=$_post['company'];
  $_session['email']=$_post['email'];
  $_session['phone']=$_post['phone'];
  $_session['street']=$_post['street'];
  $_session['city']=$_post['city'];
  $_session['country']=$_post['country'];
  $_session['description']=$_post['description'];
  ?> 
  
  <?php
  /*********************************************************************************
  ** the contents of this file are subject to the vtiger crm public license version 1.0
   * ("license"); you may not use this file except in compliance with the license
   * the original code is:  vtiger crm open source
   * the initial developer of the original code is vtiger.
   * portions created by vtiger are copyright (c) vtiger.
   * all rights reserved.
  *
   ********************************************************************************/
  
  include("config.php");
  require_once('nusoap/lib/nusoap.php');
  
  // recapture begin
  require_once('recaptchalib.php');
  $privatekey = " "; // your recaptcha private key, received from the signup page.
  $resp = recaptcha_check_answer ($privatekey,
                                  $_server["remote_addr"],
                                  $_post["recaptcha_challenge_field"],
                                  $_post["recaptcha_response_field"]);
  
  if (!$resp->is_valid) {
    ?>
  <div id="shadow-container">
    <div class="shadow1">
      <div class="shadow2">
        <div class="shadow3">
          <div class="container" align="center" >
            <table border="0" cellspacing="1" cellpadding="5">
              <tr>
                <td align="center"><p><img src="/webforms/lead/oops.png" width="100" height="83" /><br />
                    <strong>the recaptcha wasn't entered correctly. </strong></p>
                  <p><strong>please <a href="http://sitename.com/webforms/lead/index.php" target="_top">go back</a> and try it again.</strong></p></td>
              </tr>
            </table>
          </div>
        </div>
      </div>
    </div>
  </div>
  <?
    
    die ("");
  }
  // recapture end
  
  
  $client = new soapclient2($server_path."/vtigerservice.php?service=webforms", false,
                                                  $proxyhost, $proxyport, $proxyusername, $proxypassword);
  $err = $client->geterror();
  
  if($_request['create'] == 'lead')
  {
     if(get_magic_quotes_gpc())
     {
        $firstname = stripslashes($_post['firstname']);
        $lastname = stripslashes($_post['lastname']);
        $company = stripslashes($_post['company']);
        $email = $_post['email'];
        $phone = stripslashes($_post['phone']);
        $street = stripslashes($_post['street']);
  	  $city = stripslashes($_post['city']);
  	  $country = stripslashes($_post['country']);
        $description = "webform : ".stripslashes($_post['description']);
  	  
     }
     else
     {
        $firstname = $_post['firstname'];   
        $lastname = $_post['lastname'];
        $company = $_post['company'];
        $email = $_post['email'];
        $phone = $_post['phone'];
  	  $street = $_post['street'];
        $city = $_post['city'];
  	  $country = $_post['country'];
        $description = "webform : ".$_post['description'];
  	  
     }
  
     $params = array(
        'firstname' => "$firstname",
        'lastname' => "$lastname",
        'company' => "$company",      
        'email' => "$email",
        'phone' => "$phone",
  	  'street' => "$street",
        'city' => "$city",
  	  'country' => "$country",
        'description' => "$description",
        'assigned_user_id' => "$assigned_user_id"
     );
  
     if($lastname != '' && $company != '')
     {
        $result = $client->call('create_lead_from_webform', $params, $server_path, $server_path);
     
        if($result['faultstring'] != '' && is_array($result))
        {
           echo '<br>'.$result['faultstring'];
        }
        else
        {
           send_email($params);
           echo '<br><br>'.$result.'<br><br><a href="index.php">home</a>';
  		 session_destroy(); 
        }
     }
     else
     {
        $error_message = "last name and company must be entered to create a lead.";
        include("index.php");
     }
  }
  else
  {
     include("index.php");
  }
  
  function send_email($arr) {
     $to = "info@companyname.com";
     $subject = "new lead recieved: " . $arr['company'];
     $message =    "a new lead has been recieved on vtiger via the web form \n" .
           "--------------------------------------------------------\n" .
           "firstname:   " . $arr['firstname'] . "\n" .
           "lastname:   " . $arr['lastname'] . "\n" .
           "company:   " . $arr['company'] . "\n" .
           "email:      " . $arr['email'] . "\n" .
           "telephone:   " . $arr['phone'] . "\n" .
           "city:      " . $arr['city'] . "\n" .
           "comments:   " . $arr['description'] . "\n\n";
  
     //mail headers
     $headers = "mime-version: 1.0\n";
     $headers .= "content-type: text/plain; charset=iso-8859-1\n";
     $headers .= "x-priority: 3\n";
     $headers .= "x-msmail-priority: normal\n";
     $headers .= "x-mailer: php\n";
     $headers .= "from: \"admin\" <$to>\n";
     $headers .= "return-path: $to\n";
     $headers .= "return-receipt-to: $to\n";
  
     mail($to,$subject,$message,$headers);
     }
  ?>
  
  

  
  
  
  (vtigerhostname)/soap/webforms.php
  
  

  <?php
  /*********************************************************************************
  ** the contents of this file are subject to the vtiger crm public license version 1.0
   * ("license"); you may not use this file except in compliance with the license
   * the original code is:  vtiger crm open source
   * the initial developer of the original code is vtiger.
   * portions created by vtiger are copyright (c) vtiger.
   * all rights reserved.
  *
   ********************************************************************************/
  
  require_once("config.php");
  require_once('include/logging.php');
  require_once('include/nusoap/nusoap.php');
  require_once('include/database/peardatabase.php');
  require_once('modules/helpdesk/helpdesk.php');
  
  $log = &loggermanager::getlogger('webforms');
  
  //$serializer = new xml_serializer();
  $namespace = 'http://www.vtiger.com/vtigercrm/';
  $server = new soap_server;
  
  $server->configurewsdl('vtigersoap');
  
  
  $server->register(
  	'create_lead_from_webform',
  	array(
  		'firstname'=>'xsd:string',
  		'lastname'=>'xsd:string',
  		'company'=>'xsd:string', 
  		'email'=>'xsd:string', 
  		'phone'=>'xsd:string', 
  		'street'=>'xsd:string', 
  		'city'=>'xsd:string', 
  		'country'=>'xsd:string', 
  		'description'=>'xsd:string',
  		'assigned_user_id'=>'xsd:string'
  	     ),
  	array('return'=>'xsd:string'),
  	$namespace);
  
  $server->register(
  	'create_contact_from_webform',
  	array(
  		'first_name'=>'xsd:string',
  		'last_name'=>'xsd:string',
  		'email_address'=>'xsd:string',
  		'home_phone'=>'xsd:string',
  		'department'=>'xsd:string',
  		'description'=>'xsd:string',
  		'assigned_user_id'=>'xsd:string'
  	     ),
  	array('return'=>'xsd:string'),
  	$namespace);
  
  $server->register(
  	'unsubscribe_email',
  	array(
  		'email_address'=>'xsd:string'
  	     ),
  	array('return'=>'xsd:string'),
  	$namespace);
  
  
  /**	function used to create lead from webform from the passed details
   *	@param string $lastname	- last name of the lead
   *	@param string $email - email of the lead
   *	@param string $phone - phone number of the lead
   *	@param string $company - company name of the lead
   *	@param string $country - country name of the lead
   *	@param string $description - description to create a lead
   *	@param int $assigned_user_id - assigned to user for the lead
   *	return message success or failure about the lead creation 
   */
  function create_lead_from_webform($firstname, $lastname, $company, $email, $phone, $street, $city, $country, $description, $assigned_user_id)
  {
  	global $adb;
  	$adb->println("create new lead from web form - starts");
  
  	if($assigned_user_id == '')
  	{
  		//if the user id is empty then assign it to the admin user
  		$assigned_user_id = $adb->query_result($adb->pquery("select id from vtiger_users where user_name=?", array('admin')),0,'id');
  	}
  
  	require_once("modules/leads/leads.php");
  	$focus = new leads();
  	$focus->column_fields['firstname'] = $firstname;
  	$focus->column_fields['lastname'] = $lastname;
  	$focus->column_fields['company'] = $company;
  	$focus->column_fields['email'] = trim($email);
  	$focus->column_fields['phone'] = $phone;
  	$focus->column_fields['street'] = $street;
  	$focus->column_fields['city'] = $city;
  	$focus->column_fields['country'] = $country;
  	$focus->column_fields['description'] = $description;
  	$focus->column_fields['assigned_user_id'] = $assigned_user_id;
  
  	$focus->save("leads");
  	//$focus->retrieve_entity_info($focus->id,"leads");
  
  	$adb->println("create new lead from web form - ends");
  
  	if($focus->id != '')
  		$msg = 'thank you for your interest. information has been successfully added as lead in vtigercrm.';
  	else
  		$msg = "lead creation failed. please try again";
  
  	return $msg;
  }
  
  /**	function used to create contact from webform from the passed details
   *	@param string $first_name	- first name to create contact
   *	@param string $last_name	- last name to create contact
   *	@param string $email_address - email address to create contact
   *	@param string $home_phone - phone number of home to create contact
   *	@param string $department - department to create contact
   *	@param string $description - description to create contact
   *	@param int $assigned_user_id - assigned to user for the contact
   *	return message success or failure about the contact creation 
   */
  function create_contact_from_webform($first_name, $last_name, $email_address, $home_phone, $department,$description, $assigned_user_id)
  {
  	global $adb;
  
  	$adb->println("create new contact from web form - starts");
  	if($assigned_user_id == '')
  	{
  		//if the user id is empty then assign it to the admin user
  		$assigned_user_id = $adb->query_result($adb->pquery("select id from vtiger_users where user_name=?", array('admin')),0,'id');
  	}
  
  	require_once('modules/contacts/contacts.php');
  	$focus = new contacts();
  
  	$focus->column_fields['firstname'] = $first_name;
  	$focus->column_fields['lastname'] = $last_name;
  	$focus->column_fields['email'] = trim($email_address);
  	$focus->column_fields['homephone'] = $home_phone;
  	$focus->column_fields['department'] = $department;
  	$focus->column_fields['description'] = $description;
  	$focus->column_fields['assigned_user_id'] = $assigned_user_id;
  
  	$focus->save("contacts");
  	//$focus->retrieve_entity_info($focus->id,"contacts");
  
  	$adb->println("create new contact from web form - ends");
  
  	if($focus->id != '')
  		$msg = 'thank you for your interest. information has been successfully added as contact in vtigercrm.';
  	else
  		$msg = "contact creation failed. please try again";
  
  	return $msg;
  }
  
  /**	function used to unsubscribe the mail
   *	@param string $emailid - email address to unsubscribe
   *	return message about the success or failure status about the unsubscribe
   */
  function unsubscribe_email($emailid)
  {
  	global $adb;
  	$adb->println("enter into the function unsubscribe_email($emailid)");
  
  	$emailid = trim($emailid);
  	
  	$contact_res = $adb->pquery("select emailoptout from vtiger_contactdetails where email=?", array($emailid));
  	$contact_noofrows = $adb->num_rows($contact_res);
  	$emailoptout = $adb->query_result($contact_res,0,'emailoptout');
  
  	if($contact_noofrows > 0)
  	{
  		if($emailoptout != 1)
  		{
  			$adb->pquery("update vtiger_contactdetails set emailoptout=1 where email=?", array($emailid));
  			$msg = "you have been unsubscribed.";
  		}
  		else
  		{
  			$msg = "you are already unsubscribed.";
  		}
  	}
  	else
  	{
  		$msg = "there are no record available for this mail address.";
  	}
  
  	$adb->println("exit from the function unsubscribe_email($emailid)");
  	return $msg;
  }
  
  
  //$log->fatal("in soap.php");
  
  /* begin the http listener service and exit. */ 
  $server->service($http_raw_post_data); 
  
  exit(); 
  
  
  
  ?>
  

  
  
  
  and i added these files.
  
  /webforms/lead/form.css

  /* shadow css */
  #shadow-container {
      position: relative;
      left: 3px;
      top: 3px;
      margin-right: 3px;
      margin-bottom: 3px;
  }
  
  #shadow-container .shadow2,
  #shadow-container .shadow3,
  #shadow-container .container {
      position: relative;
      left: -1px;
      top: -1px;
  }
  
      #shadow-container .shadow1 {
          background: #f1f0f1;
      }
  
      #shadow-container .shadow2 {
          background: #dbdadb;
      }
  
      #shadow-container .shadow3 {
          background: #b8b6b8;
      }
  
      #shadow-container .container {
          background: #ffffff;
          border: 1px solid #848284;
          padding: 10px;
      }
  

  
  
  /webforms/lead/validateform.js (pulled from index.php and modified)
  

  // javascript document
  
  
  string.prototype.trim = function() {
  a = this.replace(/^\s+/, '');
  return a.replace(/\s+$/, '');
  };
  
  function validateform(){
  	var str=document.leadform.email.value;
  	var email = document.leadform.email.value;
  	var fname = document.leadform.firstname.value;
  	var lname = document.leadform.lastname.value;
  	var company = document.leadform.company.value;	
  	var regexps =new regexp(/^[a-za-z0-9]+([\_\-\.]*[a-za-z0-9]+[\_\-]?)*@[a-za-z0-9]+([\_\-]?[a-za-z0-9]+)*\.+([\-\_]?[a-za-z0-9])+(\.?[a-za-z0-9]+)*$/)
  
  	if(fname.trim() == ''){
  			alert("please enter your first name.");
  			return false;
  		
  		}
  		
  	if(lname.trim() == ''){
  			alert("please enter your last name.");
              return false;
  				
          }
  		
  	if(company.trim() == ''){
  			alert("company name required. if a company name is not applicable, type 'none' ");
  			return false;
  		}
  		
  			
  	if(email.trim() == ''){
  			alert("please enter your email. fake it if you have to, but we need to have a way of contacting you! ");
  			return false;
  		}
  	
  	
  	if (regexps.test(str) || (str == '')) {
  		document.leadform.submit();
  
  	}
  	else
  	{	
  		alert('please enter a valid email address.');
  		return false;
  	}	
   }
  
  

  
  /webforms/lead/recaptchalib.php (received from <!-- m --><a class="postlink" href="http://recaptcha.net/whyrecaptcha.html">http://recaptcha.net/whyrecaptcha.html</a><!-- m --> , please go there to sign up and get captcha on your form)
  
  /webforms/lead/oops.png
• effgee

  January 2009 Vote Up0Vote Down

  also on my previous post i missed an additional feature.
  that is that the form data is kept if a user presses the back button between filling out the form and submitting it.
  
  now my idea for hacking in some form of security.
  
  ---
  
  
  the major problem as i see it, is there is no checking via the webforms.php on where the data that is being sent to comes from.
  i don't have an elegant solution at the moment. ( i am not a terribly good programmer)
  
  but, there is a solution.
  
  the basic idea behind this fix, is that in order to exploit the webforms soap interface, the exploiter must know how to access the processing form, in this case webforms.php.
  
  this idea, is security through obscurity. we rename webforms.php and the name of the soap service and change the code in the required files.
  
  for example.
  
  it requires modification of these files.
  
  change vtigerservice.php
  
  change this line

  elseif($_request['service'] == "webforms")
  	{
  		include("soap/webforms.php");
  	}
  

  
  to (it should actually be any random string of your choosing)
  

  elseif($_request['service'] == "udhy382j")
  	{
  		include("soap/udhy382j.php");
  	}
  

  
  
  change send_data.php
  

  $client = new soapclient2($server_path."/vtigerservice.php?service=webforms", false,
                                                  $proxyhost, $proxyport, $proxyusername, $proxypassword);
  

  
  to (match the service name entered in vtigerservice.php)
  
  

  $client = new soapclient2($server_path."/vtigerservice.php?service=udhy382j", false,
                                                  $proxyhost, $proxyport, $proxyusername, $proxypassword);
  

  
  
  and finally rename
  webforms.php
  to
  udhy382j.php (match the vtigerservice.php entry as well.)
  
  
  i don't know if any other pages rely on the presence of webforms.php but for now this should provide a small level of security, through obscurity.
• prasad.a

  February 2009 Vote Up0Vote Down

  hi,
  
  if you are not using webforms plugin for your site, i would recommend you to rename soap/webforms.php to soap/webforms.php.txt
  
  in 5.1 we are planning to provide better webforms integration using vtiger crm webservices.
  
  regards,
  prasad
  vtiger team
• Jegas

  February 2009 Vote Up0Vote Down

  does this "in development" webservice code have a wsdl yet? at least a partial one with the functions, parameters and return results?
  
  i'm currently working on a project that this would help tremendously. right now i'm using a home grown multi-threaded web server with its own webservice system - which takes the place of the php entirely.
  
  it's very secure - session based - ip address verified each call etc... but if the vtiger team has a secure alternative - than that could open more doors for various installations/integration etc.
  
  the project i'm referring is a new a work in progress still - but the webservice stuff is coming along nicely.
• prasad.a

  February 2009 Vote Up0Vote Down

  hi jason,
  
  webforms extension being developed is using the webservices api added for vtiger crm 5.1.0
  
  kindly look at the following documentation for more details:
  <!-- m --><a class="postlink" href="http://www.vtiger.com/archives/validation/5.1/2008.10/vtigercrm_5.1.0_webservices.pdf">http://www.vtiger.com/archives/validati ... rvices.pdf</a><!-- m -->
  
  related post:
  <!-- m --><a class="postlink" href="http://www.vtiger.com/blogs/2008/10/23/vtiger-crm-web-services/">http://www.vtiger.com/blogs/2008/10/23/ ... -services/</a><!-- m -->
  
  regards,
  prasad
  vtiger team
• vTiger.it

  February 2009 Vote Up0Vote Down

  hi prasad,
  to secure some installation we have added an ip validation check on webforms.php.
  this could be useful for all people who need webforms whitin 5.0.4
  
  if someone is interested we can post the code here
  
  regards
  dade
• prasad.a

  February 2009 Vote Up0Vote Down

  hi dade,
  
  i would certainly encourage you to share the code here.
  
  if possible please do post it on <!-- m --><a class="postlink" href="http://trac.vtiger.com">http://trac.vtiger.com</a><!-- m --> and share the patch.
  
  regards,
  prasad
  vtiger team