Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 12 Jan 2016 11:43:35 -0500 (EST)
From: cve-assign@...re.org
To: sec@...fl7.de
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE Request: Vtiger CRM 6.4 Authenticated Remote Code Execution

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> This vulnerability is different than CVE-2015-6000 (in fact it is a
> result of an insufficient fix for CVE-2015-6000).
> 
> Vtiger CRM allows for the upload of a "company logo" from within the
> administrative interface.
> 
> Multiple flaws in the Settings_Vtiger_CompanyDetailsSave_Action class
> allow attackers to upload files with (almost) arbitrary contents,
> including PHP code passing commands to the underlying operating system.
> 
> However, an attacker may choose to embed malicious PHP code within a
> valid image file, for example as EXIF data of a JPEG file. Once the
> server has received the attacker's JPEG file, mime_content_type() will
> process it, correctly consider it to be a valid image file, and return
> the MIME type "image/jpeg" -- which passes Vtiger's "mime type check".
> 
> http://b.fl7.de/2016/01/vtiger-crm-6.4-auth-rce.html

As far as we can tell, the main issue you are reporting is that the
product attempts to forbid executable content within otherwise safe
file types, and does this incorrectly.

Use CVE-2016-1713.

There are no other CVE IDs for your report. For example, the ability
of the attacker to use the .php extension, although unusual, does not
seem to be an entirely separate problem.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWlSyAAAoJEL54rhJi8gl5Wy0QALHdBn98mgUGkRiZXOA/1KJh
+b7q1rarXguIemZGi1/KU+yuI84gKb7QBpIsJz2ZxEPuJH814oDaDLLi9wnhWWg8
m1U1DVY5d7+1gGlQa8fJ3Ra6QDcCmyoDEX1VY+suQElPnm9P/CJp/68R6IUCx70A
2ZKFMFW4vTQvulK4bKfO9TVtKwl2hrGU6AG4Sj4qDCgOau/3xfFNlyzPNrKECJ6g
cJzjg/eGbQXgkaqqUOyeMe/74kNmWjFWuCd3oHugPZtvehdtJvun7idyXu31AZGN
+hDYOInRl6OL9zEc4eo38tqNk0IFAqpeAiyPuWtk2YgFMheeeTsKzl4kkqTlN56W
15CbScMyZfcQpd0DL0NAho4MPBXSDmxRBZKoAx37kPx1SCGo+UjbBGCv9UiZ3wmU
k55CKsppZWv+QyfmB/E8EUKBDerB2+k7scJImRpXGsILxCy+ZdyWt5s+iIUBZbFI
tGLqGOxEQm/StHoupBZcIxdulcE85RDt9IBXcfoz8anJNPXCF3Qts6TZoW89jpsc
Gpgawu6PXaUVFrvAsx0P20EJUEU0pz1R1U011KGetPwknmyJM/BMvjyio4JY9eMw
xoG+yxsD6slrvQFVKbV+5vfrUGvMGKVitUm84hXjPAzJDmmg/ZttjWM9h3LawGju
v+PULkENNk1Wx2PoQHug
=N8Vg
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ