vTiger CRM 5.2.x <= Remote Code Execution Vulnerability

2011-10-0500:00:00

vulners.com

JSON

OVERVIEW

The vTiger CRM 5.2.1 and lower versions are vulnerable to Remote Code
Execution. No fixed version has been released as of 2011-10-05.

BACKGROUND

vtiger CRM is a free, full-featured, 100% Open Source CRM software
ideal for small and medium businesses, with low-cost product support
available to production users that need reliable support. vtiger CRM
is a widely used product with thousands of users in dozens of
countries. It has a vibrant community of users driving the product
forward, and contributing to it's development. Over 2 million copies
of vtiger CRM have been downloaded so far. It was launched as a fork
of version 1.0 of the SugarCRM project launched on December 31st,
2004.

VULNERABILITY DESCRIPTION

vTiger uses the vulnerable version of phpmailer class file located at
/cron/class.phpmailer.php .

VERSIONS AFFECTED

Tested on 5.2.1

PROOF-OF-CONCEPT/EXPLOIT

File: /cron/class.phpmailer.php
[code]

391: function SendmailSend($header, $body) {
392: if ($this->Sender != "")
393: $sendmail = sprintf("%s -oi -f %s -t", $this->Sendmail,
$this->Sender);
394: else
395: $sendmail = sprintf("%s -oi -t", $this->Sendmail);

[/code]

SOLUTION

The vendor hasn't attempted to incorporate the latest version of
phpMailer class in their vTigerCRM as of version 5.2.1.

The flawed code portion can be patched with:

393: $sendmail = sprintf("%s -oi -f %s -t",
escapeshellcmd($this->Sendmail), escapeshellarg($this->Sender));
395: $sendmail = sprintf("%s -oi -t", escapeshellcmd($this->Sendmail));