Vtiger CRM ‘onlyforuser’ 参数SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1121871 漏洞类型 SQL注入
发布时间 2013-09-20 更新时间 2013-09-20
CVE编号 CVE-2013-5091 CNNVD-ID CNNVD-201309-373
漏洞平台 PHP CVSS评分 6.5
|漏洞来源
https://www.exploit-db.com/exploits/28409
https://www.securityfocus.com/bid/62487
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201309-373
|漏洞详情
VtigerCRM是美国Vtiger公司的一套基于SugarCRM开发的客户关系管理系统(CRM)。该管理系统提供管理、收集、分析客户信息等功能。vTigerCRM5.4.0及之前的版本中的CalendarCommon.php脚本中存在SQL注入漏洞,该漏洞源于程序没有充分过滤‘onlyforuser’参数传递到index.php脚本。远程经过授权的攻击者可利用该漏洞在数据库中执行任意SQL命令。
|漏洞EXP
Advisory ID: HTB23168
Product: vtiger CRM
Vendor: vtiger
Vulnerable Version(s): 5.4.0 and probably prior
Tested Version: 5.4.0
Vendor Notification: August 7, 2013 
Vendor Patch: September 17, 2013 
Public Disclosure: September 18, 2013 
Vulnerability Type: SQL Injection [CWE-89]
CVE Reference: CVE-2013-5091
Risk Level: Medium 
CVSSv2 Base Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) 

-----------------------------------------------------------------------------------------------

Advisory Details:

High-Tech Bridge Security Research Lab discovered SQL injection vulnerability in vtiger CRM, which can be exploited to execute arbitrary SQL commands in application's database.


1) SQL Injection in vtiger CRM: CVE-2013-5091

The vulnerability exists due to insufficient validation of "onlyforuser" HTTP GET parameter passed to "/index.php" script. A remote authenticated user can execute arbitrary SQL commands in application's database.

The following exploitation example displays version of MySQL server:

http://[host]/index.php?action=index&day=22&hour=0&module=Calendar&month=7&onlyforuser=1%20%20UNION%20SELECT%201,2,3,4,5,6,version%28%29,8,9,10,11,12,13,14,15,16,17,18,19,20,1,22,23,24,25,26,27,28,29,30,31,32%20--%20&parenttab=My%20Home%20Page&subtab=event&view=day&viewOption=hourview&year=2013

Successful exploitation of this vulnerability requires the attacker to be registered and logged-in. The registration is disabled by default.

-----------------------------------------------------------------------------------------------

Solution:

Vendor has issued a fixed version of the vulnerable script "VtigerCRM540_Security_Patch2.zip" available for download at:
http://sourceforge.net/projects/vtigercrm/files/vtiger%20CRM%205.4.0/Core%20Product/

-----------------------------------------------------------------------------------------------

References:

[1] High-Tech Bridge Advisory HTB23168 - https://www.htbridge.com/advisory/HTB23168 - SQL Injection in vtiger CRM.
[2] vtiger CRM - vtiger.com – vtiger CRM is an on demand customer relationship management software that provides sales, marketing, and support teams with powerful tools to efficiently and effectively collaborate in providing the ideal customer experience.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
[5] ImmuniWeb® - http://www.htbridge.com/immuniweb/ - is High-Tech Bridge's proprietary web application security assessment solution with SaaS delivery model that combines manual and automated vulnerability testing.

-----------------------------------------------------------------------------------------------

Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.
|受影响的产品
vtiger vtiger CRM 5.3 vtiger vtiger CRM 5.2.1 vtiger vtiger CRM 5.2
|参考资料

来源:sourceforge.net
链接:http://sourceforge.net/projects/vtigercrm/files/vtiger%20CRM%205.4.0/Core%20Product/
来源:BUGTRAQ
名称:20130918SQLInjectioninvtigerCRM
链接:http://archives.neohapsis.com/archives/bugtraq/2013-09/0079.html
来源:www.htbridge.com
链接:https://www.htbridge.com/advisory/HTB23168
来源:EXPLOIT-DB
名称:28409
链接:http://www.exploit-db.com/exploits/28409
来源:OSVDB
名称:76138
链接:http://osvdb.org/76138
来源:BID
名称:62487
链接:http://www.securityfocus.com/bid/62487