Vtiger CRM <= 8.1.0 does not correctly check user’s privileges. A low-privileged user can interact directly with the Migration
administrative module to disable arbitrary modules in the instance.
“Vtiger all-in-one CRM empowers you to align your marketing, sales and support teams with unified customer data powered by One View. CRM made easy. Vtiger is built around a Open Source core. We remain committed to growing and nurturing the community”
Vtiger CRM uses a MVC-like architecture. When Vtiger receives an HTTP POST request, the Vtiger_WebUI
class dispatches it to the appropriate controller based on the values of the module
and the action
parameters by using the Vtiger_Loader::getComponentClassName
function.
This function concatenates the module name, the action name, and the Action
string, separating them with underscores, e.g. module=Migration&action=DisableModules
becomes Migration_DisableModules_Action
.
Every controller must extend the Vtiger_Action_Controller
class, that implements default functions and flags, for example defining loginRequired=true
or a checkPermission
function that check if users are authenticated and have enough privileges to perform an action. Those controller functions will be called by the Vtiger_WebUI
during the handling of a request.
The DisableModules
action in the Migration
module allows an administrative user to disable a list of modules currently loaded in the Vtiger CRM instance.
However, the Migration_DisableModules_Action
class does not implement a specific checkPermission
function, thus falling back to the default implementation that grants access to every authenticated user.
The following code shows the patch, implementing a stricter check allowing only actions from admin users:
|
|
PHPSESSID
cookie value and the value of the __vtrftk
parameter used in the requests.
|
|
302 Found
HTTP response, meaning the module Accounts
has been correctly disabled.An authenticated attacker could disable arbitrary modules to cause a service disruption.
Upgrade to Vtiger CRM 8.2.0 or later.
Patched in commit.
This report was subject to Shielder’s disclosure policy:
This advisory was first published on https://www.shielder.com/advisories/vtiger-migration-bac/
Date
28 August 2024