serious vTiger <=4.2 flaws
while recently mangling some XSS in vTiger 4.2, I decided to look into the rest of the advisory
disclosed by the folks at www.sec-consult.com
The situation is quite bleak, at this point the developers of vTiger have to rewrite most of that code, or do some serious patch work.
There are barely any sort of sanitizing for variables passed through by users, and same goes for checks going on to verify if a user is accessing module files directly, or not.
From the situation at hand, an attacker can:
1) craft malicious urls for use in XSS against users on the domain
2) execute complex sql queries to read database data, or inject code (rgod style)
3) upload data without authentication or checks
4) execute arbitrary data, thanks to #3
5) read local files, in the form of local inclusion attacks
If you go to the vTiger project page, they reference the fact that over
100,000 downloads of the software has taken place. if that's the case, don't be surprize by another surge of bots, or defacements.