I was found in my server strange apache logs:
http://ip_address/vtigercrm/modules/com ... al.conf%00
Attacker can view any file.
Vulnerability: Vtiger 5.10
More information:
http://www.securityfocus.com/bid/47263/discuss
Vtiger exploit - extremely dangerous
Moderators: gerski, enjay, williamconley, Op3r, Staydog, gardo, mflorell, MJCoate, mcargile, Kumba, Michael_N
3 posts
• Page 1 of 1
Vtiger exploit - extremely dangerous
by ciacho » Thu May 24, 2012 6:12 am
VICIdial installations in POLAND
- ciacho
- Posts: 48
- Joined: Tue Jul 08, 2008 1:46 am
- Location: POLAND
Re: Vtiger exploit - extremely dangerous
by DomeDan » Thu May 24, 2012 6:43 am
Damn! thank you for that information!
I haven't even thought about vulnerabilities in vtiger because I haven't used it.
People like me who dont use it can do a quick fix by disable access to vtigercrm/ with this command:
(and thus prevent other unknown exploits in vtiger to be accessed too!)
To make it accessible again you can use: chmod 755 /srv/www/htdocs/vtigercrm/
I haven't even thought about vulnerabilities in vtiger because I haven't used it.
People like me who dont use it can do a quick fix by disable access to vtigercrm/ with this command:
(and thus prevent other unknown exploits in vtiger to be accessed too!)
- Code: Select all
chmod 000 /srv/www/htdocs/vtigercrm/
To make it accessible again you can use: chmod 755 /srv/www/htdocs/vtigercrm/
Vicidial Partner. Region: Sweden/Norway.
Does Vicidial installation, configuration, customization, add-ons, CRM implementation, support, upgrading, network-related, pentesting etc. Remote and onsite assistance.
Email: domedan (at) gmail.com
Does Vicidial installation, configuration, customization, add-ons, CRM implementation, support, upgrading, network-related, pentesting etc. Remote and onsite assistance.
Email: domedan (at) gmail.com
- DomeDan
- Posts: 1226
- Joined: Tue Jan 04, 2011 9:17 am
- Location: Sweden
Re: Vtiger exploit - extremely dangerous
by mflorell » Thu May 24, 2012 11:37 am
Thank you for posting this. That is one of the reasons we stopped including Vtiger on our vicibox ISOs. Most likely we will disable Vtiger integration features at some point in the future since they have not been updated i a couple years, and nobody wants to sponsor the upkeep costs of the integration(which are rather significant).
- mflorell
- Site Admin
- Posts: 18339
- Joined: Wed Jun 07, 2006 2:45 pm
- Location: Florida
3 posts
• Page 1 of 1
Who is online
Users browsing this forum: No registered users and 212 guests