Release date: 2013-08-01
Updated on:
Affected Systems:
Vtiger CRM 5.3
Vtiger CRM 5.2.1
Vtiger CRM 5.2
Vtiger CRM 5.1
Description:
--------------------------------------------------------------------------------
Bugtraq id: 61560
CVE (CAN) ID: CVE-2013-3212
Vtiger CRM is a free open-source customer relationship management software.
Vtiger CRM 5.4.0,/soap/mermerportal. the get_list_values SOAP method and/soap/customerportal in php. the get_project_components SOAP method in php does not correctly verify the input passed by the "module" parameter. this parameter is used to call the require_once () function. This can be exploited to include arbitrary local files with malicious PHP code. To successfully exploit this vulnerability, the application must run on PHP <5.3.4.
<* Source: Egidio Romano
Link: http://www.securityfocus.com/archive/1/527667
*>
Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
Vtiger
------
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:
Http://www.vtiger.com/blogs? P = 1467