egix@karmainsecurity ~ $

vtiger CRM <= 5.4.0 (vtigerolservice.php) PHP Code Injection Vulnerability

• Software Link:

http://www.vtiger.com

• Affected Versions:

All versions from 5.0.0 to 5.4.0.

• Vulnerability Description:

The vulnerable code is located in the AddEmailAttachment() SOAP method defined in /soap/vtigerolservice.php:

458function AddEmailAttachment($emailid,$filedata,$filename,$filesize,$filetype,$username,$session)
459{
460    if(!validateSession($username,$session))
461    return null;
462    global $adb;
463    require_once('modules/Users/Users.php');
464    require_once('include/utils/utils.php');
465    $filename = preg_replace('/\s+/', '_', $filename);//replace space with _ in filename
466    $date_var = date('Y-m-d H:i:s');
467 
468    $seed_user = new Users();
469    $user_id = $seed_user->retrieve_user_id($username);
470 
471    $crmid = $adb->getUniqueID("vtiger_crmentity");
472 
473    $upload_file_path = decideFilePath();
474 
475    $handle = fopen($upload_file_path.$crmid."_".$filename,"wb");
476    fwrite($handle,base64_decode($filedata),$filesize);
477    fclose($handle);

The vulnerability exists because this method fails to properly validate input passed through the “filedata” and “filename” parameters, which are used to write an “email attachment” in the storage directory (lines 475-477). This can be exploited to write (or overwrite) files with any content, resulting in execution of arbitrary PHP code.

• Solution:

The patch provided by the vendor doesn’t fix completely this vulnerability, because a remote authenticated user can still be able to inject and execute arbitrary code.

[*] The vendor was alerted about this when the feedback has been provided.

• Disclosure Timeline:

[13/01/2013] – Vendor notified

[06/02/2013] – Vendor asked feedback about this changeset

[05/03/2013] – Feedback provided to the vendor [*]

[26/03/2013] – Vendor patch released

[18/04/2013] – CVE number requested

[20/04/2013] – CVE number assigned

[01/08/2013] – Public disclosure

• CVE Reference:

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2013-3214 to this vulnerability.

• Credits:

Vulnerability discovered by Egidio Romano.