VTiger CRM 5.2.x Remote Code Execution Vulnerability

Release date: 2011-10-05
Updated on: 2011-10-05

Affected Systems:
Vtiger CRM <= 5.2.x
Description:
--------------------------------------------------------------------------------
Vtiger CRM is a free, fully open-source customer relationship management software.

Vtiger CRM uses an affected version file located in/cron/class. phpmailer. php. The remote code execution vulnerability exists in implementation. Malicious users can exploit this vulnerability to execute arbitrary code.

<* Source: Aung Khant

Link: http://seclists.org/bugtraq/2011/Oct/19
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

File:/cron/class. phpmailer. php
[Code]

391: function SendmailSend ($ header, $ body ){
392: if ($ this-> Sender! = "")
393: $ sendmail = sprintf ("% s-oi-f % s-t", $ this-> Sendmail,
$ This-> Sender );
394: else
395: $ sendmail = sprintf ("% s-oi-t", $ this-> Sendmail );

[/Code]

Suggestion:
--------------------------------------------------------------------------------
Temporary solution:

Patch the defective code area:

393: $ sendmail = sprintf ("% s-oi-f % s-t ",
Escapeshellcmd ($ this-> Sendmail), escapeshellarg ($ this-> Sender ));
395: $ sendmail = sprintf ("% s-oi-t", escapeshellcmd ($ this-> Sendmail ));

Vendor patch:

Vtiger
------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:

Http://www.vtiger.com/