more forum admins

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

more forum admins

Richie-4
Hello!

Off late, the number of posts have gone way beyond manageability of a couple of guys.
We are getting close to a 100 posts/day.
We need at least 5 more guys to handle the load too.

We are sending requests for more forum admins.
Some of the frequent posters are being sent the privileges so that they can track 
the activities on the forums and moderate them. 
It will be great if the forum admins could identify what all need to belong
to the wiki, what to the forge and what to the forums. 

The forum admins will have all the access requirements that are needed to do the job
well. 

Lastly, 
This is being done so that we can have a much more open system.
I feel this will also lead to a higher sense of engagement and ownership with vtiger.

Thanks,
Richie
_______________________________________________
Get started with creating presentations online - http://zohoshow.com?vt 
Reply | Threaded
Open this post in threaded view
|

Re: more forum admins

Gopal-2
Hello,

Welcome to Dino Eberle (eberled), Aissa Belaid (aissa), Matthew Brichacek (mmbrich), and Ken Lyle (kenlyle) to the vtiger Forums Moderation Board!

As a forum moderator you have the privileges to move posts to the relevant sub forums, delete duplicate & spam posts and move the important posts to vtiger Wiki available at:

http://wiki.vtiger.com

Please let me know if anyone interested to join hands with me and streamline the vtiger communication channels.

By the way, Radiant and Myself working on centralizing vtiger activities across the sites, such as vtige.com, forums, forge, trac/SVN, Wiki, and blogs. Looking forward for your suggestions to make this operation successful.

Regards,
Gopal
---
S.S.G.Gopal
skype: sripadag
ph: +1 877 788 4437
blog: http://gopal.vtiger.com

---- On Sun, 20 Aug 2006 Richie <[hidden email]> wrote ----

Hello!

Off late, the number of posts have gone way beyond manageability of a couple of guys.
We are getting close to a 100 posts/day.
We need at least 5 more guys to handle the load too.

We are sending requests for more forum admins.
Some of the frequent posters are being sent the privileges so that they can track 
the activities on the forums and moderate them. 
It will be great if the forum admins could identify what all need to belong
to the wiki, what to the forge and what to the forums. 

The forum admins will have all the access requirements that are needed to do the job
well. 

Lastly, 
This is being done so that we can have a much more open system.
I feel this will also lead to a higher sense of engagement and ownership with vtiger.

Thanks,
Richie
_______________________________________________
Get started with creating presentations online - http://zohoshow.com?vt

_______________________________________________
Get started with creating presentations online - http://zohoshow.com?vt 
Reply | Threaded
Open this post in threaded view
|

Re: more forum admins

Brian Laughlin
In reply to this post by Richie-4
If you need more hands, I'll help too.

Message: 5
Date: Mon, 21 Aug 2006 00:53:30 -0700
From: Gopal <[hidden email]>
Subject: Re: [Vtigercrm-developers] more forum admins
To: [hidden email]
Cc: [hidden email], [hidden email]
Message-ID:
       
<10d2fb85055.2638234112950316625.-3767249816949929023@@vtiger.com>
Content-Type: text/plain; charset="utf-8"

Hello,

Welcome to Dino Eberle (eberled), Aissa Belaid (aissa),Matthew Brichacek
(mmbrich), and Ken Lyle (kenlyle) to the vtigerForums Moderation Board!

As a forum moderator you have theprivileges to move posts to the
relevant sub forums, delete duplicate &spam posts and move the important
posts to vtiger Wiki available at:

http://wiki.vtiger.com

Please let me know if anyone interested to join hands with me and
streamline the vtiger communication channels.

By the way, Radiant and Myself working on centralizing vtigeractivities
across the sites, such as vtige.com, forums, forge, trac/SVN, Wiki, and
blogs. Looking forward for your suggestions to make this operation
successful.

Regards,
Gopal
---
S.S.G.Gopal
skype: sripadag
ph: +1 877 788 4437
blog: http://gopal.vtiger.com


_______________________________________________
Get started with creating presentations online - http://zohoshow.com?vt 
Reply | Threaded
Open this post in threaded view
|

Re: more forum admins

Kim Haverblad
Well, count me in as well if there is a need for some extra hands to
help out and improve the info flow regarding vtiger. As well, I will be
happy to help out to delete spam within the forum.

While on the topic regarding the forum; are there any plans to enable
the possible of editing postings again?

Regards,
Kim Haverblad

Brian Laughlin wrote:

> If you need more hands, I'll help too.
>
> Message: 5
> Date: Mon, 21 Aug 2006 00:53:30 -0700
> From: Gopal <[hidden email]>
> Subject: Re: [Vtigercrm-developers] more forum admins
> To: [hidden email]
> Cc: [hidden email], [hidden email]
> Message-ID:
>
> <10d2fb85055.2638234112950316625.-3767249816949929023@@vtiger.com>
> Content-Type: text/plain; charset="utf-8"
>
> Hello,
>
> Welcome to Dino Eberle (eberled), Aissa Belaid (aissa),Matthew Brichacek
> (mmbrich), and Ken Lyle (kenlyle) to the vtigerForums Moderation Board!
>
> As a forum moderator you have theprivileges to move posts to the
> relevant sub forums, delete duplicate &spam posts and move the important
> posts to vtiger Wiki available at:
>
> http://wiki.vtiger.com
>
> Please let me know if anyone interested to join hands with me and
> streamline the vtiger communication channels.
>
> By the way, Radiant and Myself working on centralizing vtigeractivities
> across the sites, such as vtige.com, forums, forge, trac/SVN, Wiki, and
> blogs. Looking forward for your suggestions to make this operation
> successful.
>
> Regards,
> Gopal
> ---
> S.S.G.Gopal
> skype: sripadag
> ph: +1 877 788 4437
> blog: http://gopal.vtiger.com
>
>
> _______________________________________________
> Get started with creating presentations online - http://zohoshow.com?vt 
>
> __________ NOD32 1.1717 (20060821) Information __________
>
> This message was checked by NOD32 antivirus system.
> http://www.eset.com
>
>
>
_______________________________________________
Get started with creating presentations online - http://zohoshow.com?vt 
Reply | Threaded
Open this post in threaded view
|

Re: more forum admins

Gopal-2
Dear Brian Laughlin & Kim Haverblad,

Welcome to the forums moderators' group!

Now all our moderators can edit posts along with other privileges.

Regards,
Gopal

---
S.S.G.Gopal
skype: sripadag
ph: +1 877 788 4437
blog: http://gopal.vtiger.com




---- On Mon, 21 Aug 2006 Kim Haverblad <[hidden email]> wrote ----

Well, count me in as well if there is a need for some extra hands to
help out and improve the info flow regarding vtiger. As well, I will be
happy to help out to delete spam within the forum.

While on the topic regarding the forum; are there any plans to enable
the possible of editing postings again?

Regards,
Kim Haverblad

Brian Laughlin wrote:

> If you need more hands, I'll help too.
>
> Message: 5
> Date: Mon, 21 Aug 2006 00:53:30 -0700
> From: Gopal <[hidden email]>
> Subject: Re: [Vtigercrm-developers] more forum admins
> To: [hidden email]
> Cc: [hidden email], [hidden email]
> Message-ID:
>  
> <10d2fb85055.2638234112950316625.-3767249816949929023@@vtiger.com>
> Content-Type: text/plain; charset="utf-8"
>
> Hello,
>
> Welcome to Dino Eberle (eberled), Aissa Belaid (aissa),Matthew Brichacek
> (mmbrich), and Ken Lyle (kenlyle) to the vtigerForums Moderation Board!
>
> As a forum moderator you have theprivileges to move posts to the
> relevant sub forums, delete duplicate &spam posts and move the important
> posts to vtiger Wiki available at:
>
> http://wiki.vtiger.com
>
> Please let me know if anyone interested to join hands with me and
> streamline the vtiger communication channels.
>
> By the way, Radiant and Myself working on centralizing vtigeractivities
> across the sites, such as vtige.com, forums, forge, trac/SVN, Wiki, and
> blogs. Looking forward for your suggestions to make this operation
> successful.
>
> Regards,
> Gopal
> ---
> S.S.G.Gopal
> skype: sripadag
> ph: +1 877 788 4437
> blog: http://gopal.vtiger.com
>
>
> _______________________________________________
> Get started with creating presentations online - http://zohoshow.com?vt
>
> __________ NOD32 1.1717 (20060821) Information __________
>
> This message was checked by NOD32 antivirus system.
> http://www.eset.com
>
>
>
_______________________________________________
Get started with creating presentations online - http://zohoshow.com?vt

_______________________________________________
Get started with creating presentations online - http://zohoshow.com?vt 
Reply | Threaded
Open this post in threaded view
|

vTiger mulitple vulnerabilities

Kim Haverblad
Open question about earlier reported vulnerabilities within vtiger;
would anyone know if following has been closed:

http://www.hardened-php.net/advisory_232005.105.html

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                        Hardened PHP Project
                        www.hardened-php.net

                      -= Security  Advisory =-


     Advisory: Multiple vulnerabilities in vTiger CRM
 Release Date: 2005/11/24
Last Modified: 2005/11/24
       Author: Christopher Kunz <[hidden email]>
  Application: vTiger 4.2 and prior
     Severity: Cross-Site Scripting, SQL injection and information
            disclosure, password hash disclosure, authentication bypass,
            local file disclosure, remote code execution
         Risk: High / Critical (depending on server configuration)
Vendor Status: Vendor informed. No fix available.
   References: http://www.hardened-php.net/advisory_232005.105.html


Overview:

   vtiger [1] is an open source customer relationship management system
(CRM)
   which is maintained by an indian company with the same name. It has been
   forked off the SugarCRM project [2] in an earlier stage, thus a
number of
   issues reported by GulfTech Security in [3] are also present in
vtiger. An
   additional layer of insecurity has obviously been introduced by the
devel-
   opers, enabling malicious users to log in to the CRM without any creden-
   tials whatsoever and execute remote code.


Details:

   1) XSS issues-a-plenty
      As James Bercegay reported, there is an abundance of XSS problems all
      over the CRM, with only a few examples being the following:
      - a malicious local user could create a contact, lead, account, poten-
        tial or other data set that includes script code in any field. Typi-
        cal fields would be first or last name, but nearly every other field
        is possible, too. Then, the malicious user could send the link to
        that contact to the administrator - and have the script code do
what-
        ever DOM operation is necessary to elevate privileges.
      - Even easier and without any inside knowledge needed:
        /index.php?action=DetailView&module=Leads&record=%3Cscript%3Ealert
        ('document.cookie')%3C/script%3E (as reported by James).
      - Since the variable $_SERVER['PHP_SELF'] is used for most form
actions,
        and also for creating internal links, the string
"><script>alert('xss')
        </script> can be used to create a path-info XSS that exploits any
        logged-in user. The URI parameters are irrelevant and have been
        ommitted to keep the example clean.
        Example:
        /index.php/%22%3E%3Cscript%3Ealert('xss')%3C/script%3E/?[params]

   2) Remote XSS in RSS
      vtiger features a comprehensive RSS aggregation module, allowing users
      to read all their favorite blogs, news sites or other feeds from
within
      the CRM. However, no input checking is performed before aggregated
feeds
      are sent to the client. A malicious blog, news site or other feed
could
      socially engineer a user into aggregating it and then use script
code to
      elevate their privileges via DOM.
      We are featuring this as a different attack class since the vector
does
      not require the CRM user to click on any links - being subscribed
to an
      seemingly interesting blog is enough to fall victim to this attack.

   3) Authentication Bypass
      If the php.ini setting "magic_quotes_gpc" is set to "Off", which
is the
      setting provided in php.ini-recommended, an attacker can bypass the
      authentication process completely, by entering a fabricated user name.
      Since the login form is prone to SQL injection (like any other form),
      a username like "foo' or '%'='" leads to the following SQL statement:
                      SELECT *
                      FROM users
                      WHERE user_name='admin'
                      OR '%'='%'
                      AND user_password='adAZ2jidC3H1M'
      This query returns 1 row with the administrator's credentials.
This re-
      sult set is used to determine that authentication was successful.
      The attacker is now logged into the CRM system as the
administrator and
      can perform tasks like uploading the whole CRM instance to a
remote sys-
      tem, display system information - and of course mess around with the
      customer data.

   4) User credential disclosure via SQL Injection
      Again, if magic_quotes_gpc is Off, a logged-in user can manipulate
many
      form fields into displaying arbitrary values, including user names and
      passwords. Again, similar issues were reported by GulfTech - we have
      found some more injection vulnerabilities like this one:

/?ticket_title=&contact_name=&priority=&status=&action=index&query=true&m

odule=HelpDesk&order_by=&sorder=ASC&viewname=0&button=Search&category=&da

te_crit=is&date=%27+UNION+SELECT+56%2CCONCAT%28user_name%2C+%22%3A%22%2C+

user_password%29%2C+%22Open%22%2C%22Normal%22%2C1%2C1%2C1%2C1%2C1%2C1%2C1
      %2C1+from+users+where+users.user_name+LIKE+%27
      This discloses all usernames and passwords in the bugtracker
ticket list.

   5) Unsafe file inclusion
      The "action" and "module" parameters are prone to manipulation,
allowing
      display of arbitrary files on the server that runs vtiger. A
similar bug
      was reported for SugarCRM in the advisory described by CVE-2004-1227,
      however the problem is far more widespread.
      Since variables from GET, POST, COOKIE and SESSION are passed to
      include() calls mostly without any checking, they can be abused to in-
      clude any file on the local file system, by utilizing the %00
character
      to null-terminate the include call.

   6) Arbitrary code execution
      Although remote file inclusion is not possible - all include()
statements
      are invariably prepended with relative paths - there is an easy
way to
      execute arbitrary code. Since vtiger does some extensive logging
at every
      stage of a user's session, one can just enter PHP code in any
field, GET
      parameter or wherever, and be sure that the code will be inserted
into
      a log message. A typical log message with injected PHP code looks like
      this:
      Fri Sep 16 15:43:10 2005,627 [4648] DEBUG VT - Message ->query being
      executed : select crmentity.crmid, crmentity.smownerid,[truncated]
      where crmentity.deleted=0  AND potentialname like '<?php phpinfo()
?>%'
      Every log message is by default saved to the log file 'vtigercrm.log',
      which by default resides in a directory accessible for the web server.
      Using the vulnerability outlined in 5), an attacker can include
the log
      file into the CRM suite, prompting any included PHP code to be
executed.


Proof of Concept:

   Apart from the examples mentioned above, the Hardened PHP Project is not
   going to release any PoC for these vulnerabilities to the public.


Disclosure Timeline:

   16. September 2005 - Vendor informed.
   10. October 2005 - Follow-up to vendor.
   24. November 2005 - public disclosure


Recommendation:

   Since there is currently no fixed version available, you should
protect your
   vTiger installation with the following measures:
   1. Restrict access to vtigercrm*.log via .htaccess
   2. Switch register_globals to Off.
   3. Turn magic_quotes_gpc off.
   4. Install the Hardening-Patch for PHP to disable %00 URL characters.


References:

   [1] http://www.vtiger.com/
   [2] http://www.sugarcrm.org/
   [3] http://www.gulftech.org/?node=research&article_id=00053-120104


Plug:

   You can discuss this and other vulnerabilities in our forum at
   http://forum.hardened-php.net/ - an up-to-date list of advisories can be
   found at http://www.hardened-php.net/.


GPG-Key:

   http://www.hardened-php.net/hardened-php-signature-key.asc

   pub  1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key
   Key fingerprint = 066F A6D0 E57E 9936 9082  7E52 4439 14CC 0A86 4AA1


Copyright 2005 Christopher Kunz / Hardened PHP Project. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQFDhgc0RDkUzAqGSqERAmY0AJ9MmHk90IYC0ojTCgp9GwZwqZRYTwCgjIzp
fn4FD2Ytt92nEijVdRiYdNo=
=8n/z
-----END PGP SIGNATURE-----
_______________________________________________
Get started with creating presentations online - http://zohoshow.com?vt 
Reply | Threaded
Open this post in threaded view
|

vTiger mulitple vulnerabilities

Brian Laughlin
I think those are all old and for 4.2.2.  I tried several mentioned and
could not recreate them using 4.2.3.

Message: 2
Date: Tue, 22 Aug 2006 11:17:20 +0200
From: Kim Haverblad <[hidden email]>
Subject: [Vtigercrm-developers] vTiger mulitple vulnerabilities
To: [hidden email]
Message-ID: <[hidden email]>
Content-Type: text/plain; charset=UTF-8

Open question about earlier reported vulnerabilities within vtiger;
would anyone know if following has been closed:

http://www.hardened-php.net/advisory_232005.105.html

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                        Hardened PHP Project
                        www.hardened-php.net

                      -= Security  Advisory =-

_______________________________________________
Get started with creating presentations online - http://zohoshow.com?vt 
Reply | Threaded
Open this post in threaded view
|

Re: vTiger mulitple vulnerabilities

Kim Haverblad
Sounds great; but I would then suggest that someone sends an e-mail to
Secunia and let them know that all mentioned vulnerabilities are closed.

http://secunia.com/search/?search=vtiger

Doing this will also give some attention to the project since I myself
founds a lot of interesting apps and scripts via the alerts posted by
Secunia (and as well by other security vendors).

/Kim

Brian Laughlin wrote:

> I think those are all old and for 4.2.2.  I tried several mentioned and
> could not recreate them using 4.2.3.
>
> Message: 2
> Date: Tue, 22 Aug 2006 11:17:20 +0200
> From: Kim Haverblad <[hidden email]>
> Subject: [Vtigercrm-developers] vTiger mulitple vulnerabilities
> To: [hidden email]
> Message-ID: <[hidden email]>
> Content-Type: text/plain; charset=UTF-8
>
> Open question about earlier reported vulnerabilities within vtiger;
> would anyone know if following has been closed:
>
> http://www.hardened-php.net/advisory_232005.105.html
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>                         Hardened PHP Project
>                         www.hardened-php.net
>
>                       -= Security  Advisory =-
>
> _______________________________________________
> Get started with creating presentations online - http://zohoshow.com?vt 
>
> __________ NOD32 1.1719 (20060822) Information __________
>
> This message was checked by NOD32 antivirus system.
> http://www.eset.com
>
>
>
_______________________________________________
Get started with creating presentations online - http://zohoshow.com?vt 
Reply | Threaded
Open this post in threaded view
|

Re: vTiger mulitple vulnerabilities

Tim Smith-10
Brian's response was "I think those are all old" and "I tried several mentioned"

I wouldn't declare them fixed until someone has officially tested them.

Tim

On 8/22/06, Kim Haverblad <[hidden email]> wrote:
Sounds great; but I would then suggest that someone sends an e-mail to
Secunia and let them know that all mentioned vulnerabilities are closed.

http://secunia.com/search/?search=vtiger

Doing this will also give some attention to the project since I myself
founds a lot of interesting apps and scripts via the alerts posted by
Secunia (and as well by other security vendors).

/Kim

Brian Laughlin wrote:

> I think those are all old and for 4.2.2.  I tried several mentioned and
> could not recreate them using 4.2.3.
>
> Message: 2
> Date: Tue, 22 Aug 2006 11:17:20 +0200
> From: Kim Haverblad <[hidden email]>
> Subject: [Vtigercrm-developers] vTiger mulitple vulnerabilities
> To: [hidden email]
> Message-ID: <[hidden email]>
> Content-Type: text/plain; charset=UTF-8
>
> Open question about earlier reported vulnerabilities within vtiger;
> would anyone know if following has been closed:
>
> http://www.hardened-php.net/advisory_232005.105.html
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>                         Hardened PHP Project
>                         www.hardened-php.net
>
>                       -= Security  Advisory =-
>
> _______________________________________________
> Get started with creating presentations online - http://zohoshow.com?vt
>
> __________ NOD32 1.1719 (20060822) Information __________
>
> This message was checked by NOD32 antivirus system.
> http://www.eset.com
>
>
>
_______________________________________________
Get started with creating presentations online - http://zohoshow.com?vt


_______________________________________________
Get started with creating presentations online - http://zohoshow.com?vt 
Reply | Threaded
Open this post in threaded view
|

Re: vTiger mulitple vulnerabilities

Gopal-2
In reply to this post by Kim Haverblad
Hi Kim,

Thank you for your mail.

Immediately after fixing the vulnerabilities we have informed to Secunia and hardned-php.net. I will follow up them again and ensure that these issues are closed permanently.

Once again thanks for reminding us.

Regards,
Gopal
---
S.S.G.Gopal
skype: sripadag
ph: +1 877 788 4437
blog: http://gopal.vtiger.com




---- On Tue, 22 Aug 2006 Kim Haverblad <[hidden email]> wrote ----

Sounds great; but I would then suggest that someone sends an e-mail to
Secunia and let them know that all mentioned vulnerabilities are closed.

http://secunia.com/search/?search=vtiger

Doing this will also give some attention to the project since I myself
founds a lot of interesting apps and scripts via the alerts posted by
Secunia (and as well by other security vendors).

/Kim

Brian Laughlin wrote:

> I think those are all old and for 4.2.2. I tried several mentioned and
> could not recreate them using 4.2.3.
>
> Message: 2
> Date: Tue, 22 Aug 2006 11:17:20 +0200
> From: Kim Haverblad <[hidden email]>
> Subject: [Vtigercrm-developers] vTiger mulitple vulnerabilities
> To: [hidden email]
> Message-ID: <[hidden email]>
> Content-Type: text/plain; charset=UTF-8
>
> Open question about earlier reported vulnerabilities within vtiger;
> would anyone know if following has been closed:
>
> http://www.hardened-php.net/advisory_232005.105.html
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hardened PHP Project
> http://www.hardened-php.net
>
> -= Security Advisory =-
>
> _______________________________________________
> Get started with creating presentations online - http://zohoshow.com?vt
>
> __________ NOD32 1.1719 (20060822) Information __________
>
> This message was checked by NOD32 antivirus system.
> http://www.eset.com
>
>
>
_______________________________________________
Get started with creating presentations online - http://zohoshow.com?vt

_______________________________________________
Get started with creating presentations online - http://zohoshow.com?vt