Vtiger CRM <= 8.1.0 does not properly sanitize user input before using it in a SQL statement, leading to a SQL injection in the CompanyDetails
operation of the MailManager
module.
“Vtiger all-in-one CRM empowers you to align your marketing, sales and support teams with unified customer data powered by One View. CRM made easy. Vtiger is built around a Open Source core. We remain committed to growing and nurturing the community”
Vtiger uses the MailManager::lookupMailInVtiger
function to search a term inside of its database. This function builds SQL queries with a “WHERE LIKE” condition using string concatenation, one for each enabled module, to perform the search.
Each module-specific SQL query is then fed to the vtws_query
function, which parses it and converts each module “field” inside the query to the respective table and column of the SQL database.
If one of the queries is malformed or its structure is different from the one that vtws_query
expects (for example due to an injection), a parsing error is triggered and execution is halted. The vtws_query
function also checks the privileges and read access of the user performing the query.
Nonetheless, if the target module is the Users
one and the user is not an administrator, the query is passed to the pquery
function instead, that performs it on the DBMS directly without any validation.
This can be noticed in the code below:
|
|
In order to exploit the SQL injection however, the resulting query must not trigger a parsing error when performed against other enabled modules.
Turns out that by chaining this to a Broken Access Control in the Migration
component, allows a low-privileged to unload all the modules except the Users
one and exploit the SQL injection successfully.
Settings -> CRM Settings -> Module Management -> Modules
but the Users
one.PHPSESSID
cookie value and the value of the __vtrftk
parameter used in the requests.
|
|
An authenticated attacker can leak sensitive data from the Vtiger database.
Upgrade to Vtiger CRM 8.2.0 or later.
Patched in commit.
This report was subject to Shielder’s disclosure policy:
This advisory was first published on https://www.shielder.com/it/advisories/vtiger-mailmanager-sqli/
Data
28 agosto 2024