|| Security Net Advisory #D.3.9.06.a

Title  : Vtiger CRM version 4.2.4 Multiple Vulnerabilities
Impact : Cross Site Scripting
         Security Bypass
         Remote Command Execution
Type   : Remote
Vendor :
  - Url    : http://www.vtiger.com
  - Status : Vendor was first contacted on 29.8.2006.

|| Vulnerability

1. FileUpload

   In root of aplication we can find file fileupload.html.
   There is no any checking of privileges and files are uploaded in
   /cashe/mails/ folder. We can upload and execute any file.

2. XSS

   Content of variable 'description' in all modules is not properly
   sanitised before returning to user. This can be exploited to
   execute arbitrary HTML and script code in a user's browser session.

   Content of variable 'solution' in module 'HelpDesk' is not properly
   sanitised before returning to user. This can be exploited to
   execute arbitrary HTML and script code in a user's browser session.

3. Privileges bypass

   Any user can access administrators modules with using URLs of wanted
   modules, options, etc ... There is no privileges check.

   Example:
   If we loged as no-admin user we can visit link:
   http://[host]/[vtiger_crm]/index.php?module=Settings&action=index,
   and use settings module.

|| Contact

Author : Ivan Markovic
Site   : www.security-net.biz