[Vtigercrm-developers] Vulnerability vtiger v6.1

classic Classic list List threaded Threaded
4 messages Options
nab
Reply | Threaded
Open this post in threaded view
|

[Vtigercrm-developers] Vulnerability vtiger v6.1

nab
An intrusion test revealed a vulnerability on the vtiger version 6.1 (i
think, even in the version 7) when a user other than an administrator
accesses his preferences through the address:
"https://yourwebsiteaddress/index.php?module=Users&view=PreferenceDetail&record=122".
A user who only has read access can use this URL and add into it the
"roleid" parameter so that he can change his own role with the administrator
role with all privileges.
Has anyone ever heard of such a vulnerability?
how to avoid this vulnerability?
Nb



--
Sent from: http://vtiger-crm.2324883.n4.nabble.com/vtigercrm-developers-f4.html
_______________________________________________
http://www.vtiger.com/
Reply | Threaded
Open this post in threaded view
|

Re: Vulnerability vtiger v6.1

Alan Lord (News)
Have you tried to contact vtiger directly?

Normally if a vulnerability is found that is the preferred method of
initial reporting, rather than telling the whole world via a mailing
list ;-)


Alan


On 26/02/2019 13:42, nab wrote:

> An intrusion test revealed a vulnerability on the vtiger version 6.1 (i
> think, even in the version 7) when a user other than an administrator
> accesses his preferences through the address:
> "https://yourwebsiteaddress/index.php?module=Users&view=PreferenceDetail&record=122".
> A user who only has read access can use this URL and add into it the
> "roleid" parameter so that he can change his own role with the administrator
> role with all privileges.
> Has anyone ever heard of such a vulnerability?
> how to avoid this vulnerability?
> Nb
>
>
>
> --
> Sent from: http://vtiger-crm.2324883.n4.nabble.com/vtigercrm-developers-f4.html
> _______________________________________________
> http://www.vtiger.com/
>


_______________________________________________
http://www.vtiger.com/
Reply | Threaded
Open this post in threaded view
|

Re: Vulnerability vtiger v6.1

Alan Lord (News)
Your vulnerability doesn't appear to work in vtiger 6.5.0 - perhaps you
should upgrade?

6.1.0 was released in September 2014...


Al


On 26/02/2019 14:00, Alan Lord wrote:

> Have you tried to contact vtiger directly?
>
> Normally if a vulnerability is found that is the preferred method of
> initial reporting, rather than telling the whole world via a mailing
> list ;-)
>
>
> Alan
>
>
> On 26/02/2019 13:42, nab wrote:
>> An intrusion test revealed a vulnerability on the vtiger version 6.1 (i
>> think, even in the version 7) when a user other than an administrator
>> accesses his preferences through the address:
>> "https://yourwebsiteaddress/index.php?module=Users&view=PreferenceDetail&record=122".
>>
>> A user who only has read access can use this URL and add into it the
>> "roleid" parameter so that he can change his own role with the
>> administrator
>> role with all privileges.
>> Has anyone ever heard of such a vulnerability?
>> how to avoid this vulnerability?
>> Nb
>>
>>
>>
>> --
>> Sent from:
>> http://vtiger-crm.2324883.n4.nabble.com/vtigercrm-developers-f4.html
>> _______________________________________________
>> http://www.vtiger.com/
>>
>
>
> _______________________________________________
> http://www.vtiger.com/
>


_______________________________________________
http://www.vtiger.com/
nab
Reply | Threaded
Open this post in threaded view
|

Re: Vulnerability vtiger v6.1

nab
Thanks, Alan for the info!
Nb



--
Sent from: http://vtiger-crm.2324883.n4.nabble.com/vtigercrm-developers-f4.html
_______________________________________________
http://www.vtiger.com/