Info

Disclosure

Aug 29, 2006

Discovery

Unknown

Dates

Exploit

Unknown

Solution

Unknown

Description

vtiger CRM contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the 'fileupload.html' script not properly checking user privileges and not sanitizing input supplied to the script. This may allow an attacker to upload files that can contain arbitrary commands which can then subsequently be executed by the attacker.

Classification

Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Integrity
Exploit: Exploit Unknown
OSVDB: Web Related

Solution

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Products

vtiger.com

vTiger CRM

4.2.4

References

CVE ID: 2006-4617 (see also: NVD)
Secunia Advisory ID: 21728
Related OSVDB ID: 28460 28461 28462
Other Advisory URL: http://www.security-net.biz/adv/D3906a.txt
Vendor URL: http://www.vtiger.com/
Keyword: Security Net Advisory #D.3.9.06.a

Credit

Ivan Markovic - http://www.security-net.biz/

Direct URL: http://osvdb.org/28459