vicidial.org

Posted: **Thu May 24, 2012 6:12 am**

I was found in my server strange apache logs:
http://ip_address/vtigercrm/modules/com ... al.conf%00

Attacker can view any file.

Vulnerability: Vtiger 5.10

More information:
http://www.securityfocus.com/bid/47263/discuss

Posted: **Thu May 24, 2012 6:43 am**

Damn! thank you for that information!
I haven't even thought about vulnerabilities in vtiger because I haven't used it.

People like me who dont use it can do a quick fix by disable access to vtigercrm/ with this command:
(and thus prevent other unknown exploits in vtiger to be accessed too!)

Code: Select all: chmod 000 /srv/www/htdocs/vtigercrm/

To make it accessible again you can use: chmod 755 /srv/www/htdocs/vtigercrm/

Posted: **Thu May 24, 2012 11:37 am**

Thank you for posting this. That is one of the reasons we stopped including Vtiger on our vicibox ISOs. Most likely we will disable Vtiger integration features at some point in the future since they have not been updated i a couple years, and nobody wants to sponsor the upkeep costs of the integration(which are rather significant).

vicidial.org

Vtiger exploit - extremely dangerous

Vtiger exploit - extremely dangerous

Re: Vtiger exploit - extremely dangerous

Re: Vtiger exploit - extremely dangerous