Saw a couple of these in some logs today. I searched on the forum for vtiger and security but didnt find a complaint. Not sure if this has been reported yet:
access_log:188.161.240.5 - - [16/Jul/2012:12:34:17 -0700] "GET /vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=../../../../../../../..//etc/asterisk/sip-vicidial.conf%00 HTTP/1.1" 200 92724 "-" "Mozilla/5.0 (Windows NT 6.1; rv:13.0) Gecko/20100101 Firefox/13.0.1"
error_log:[Mon Jul 16 06:26:53 2012] [error] [client 188.161.240.5] PHP Fatal error: Class '../../../../../../../..//etc/asterisk/sip-vicidial.conf' not found in /srv/www/htdocs/vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php on line 13
error_log:[Mon Jul 16 11:53:33 2012] [error] [client 188.161.240.5] PHP Fatal error: Class '../../../../../../../..//etc/asterisk/sip-vicidial.conf' not found in /srv/www/htdocs/vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php on line 13
error_log:[Mon Jul 16 12:34:19 2012] [error] [client 188.161.240.5] PHP Fatal error: Class '../../../../../../../..//etc/asterisk/sip-vicidial.conf' not found in /srv/www/htdocs/vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php on line 13
They are trying to get sip credentials from the file.
Vtiger flaw thats being attacked
Moderators: enjay, williamconley, Staydog, mflorell, MJCoate, mcargile, Kumba
3 posts
• Page 1 of 1
Vtiger flaw thats being attacked
by Acidshock » Mon Jul 16, 2012 3:29 pm
VERSION: 2.14-698a | BUILD: 190207-2301 | Asterisk:13.24.1-vici | Vicibox 8.1.2
- Acidshock
- Posts: 430
- Joined: Wed Mar 03, 2010 3:19 pm
Re: Vtiger flaw thats being attacked
by williamconley » Mon Jul 16, 2012 4:03 pm
password protect your vtiger installation folder (so all your agents will require a single password to get in, but noone outside your organization can get in the folder at all).
We do this same thing for phpMyAdmin, you can modify it for the vTiger directory easily:
below cgi-bin directory setup,
This will "create" the pwd file (note the "-c"):
add more users to it (note the missing -c):
We do this same thing for phpMyAdmin, you can modify it for the vTiger directory easily:
- Code: Select all
nano +75 /etc/apache2/default-server.conf
below cgi-bin directory setup,
- Code: Select all
# Protect phpMyAdmin folder from attacks
# use htpasswd2 /srv/www/passwd/phpmyadmin newuser to add new users (and delete unauthorized users from that file)
# requires /etc/init.d/apache2 restart to take effect
<Directory /srv/www/htdocs/phpMyAdmin>
AllowOverride None
Order allow,deny
Allow from all
AuthType Basic
AuthName "phpMyAdmin -- Authorized Managers Only -- "
AuthUserFile /srv/www/passwd/phpmyadmin
Require valid-user
</Directory>
- Code: Select all
mkdir /srv/www/passwd
This will "create" the pwd file (note the "-c"):
- Code: Select all
htpasswd2 -c /srv/www/passwd/phpmyadmin admin
add more users to it (note the missing -c):
- Code: Select all
htpasswd2 /srv/www/passwd/phpmyadmin username
- Code: Select all
/etc/init.d/apache2 restart
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
- williamconley
- Posts: 20258
- Joined: Wed Oct 31, 2007 4:17 pm
- Location: Davenport, FL (By Disney!)
Re: Vtiger flaw thats being attacked
by Acidshock » Mon Jul 16, 2012 4:04 pm
Or remove them hehe
VERSION: 2.14-698a | BUILD: 190207-2301 | Asterisk:13.24.1-vici | Vicibox 8.1.2
- Acidshock
- Posts: 430
- Joined: Wed Mar 03, 2010 3:19 pm
3 posts
• Page 1 of 1
Return to ViciBox Server Install and Demo
Who is online
Users browsing this forum: No registered users and 110 guests