Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 12 Jan 2016 11:43:35 -0500 (EST)
From: cve-assign@...re.org
To: sec@...fl7.de
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE Request: Vtiger CRM 6.4 Authenticated Remote Code Execution

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> This vulnerability is different than CVE-2015-6000 (in fact it is a
> result of an insufficient fix for CVE-2015-6000).
> 
> Vtiger CRM allows for the upload of a "company logo" from within the
> administrative interface.
> 
> Multiple flaws in the Settings_Vtiger_CompanyDetailsSave_Action class
> allow attackers to upload files with (almost) arbitrary contents,
> including PHP code passing commands to the underlying operating system.
> 
> However, an attacker may choose to embed malicious PHP code within a
> valid image file, for example as EXIF data of a JPEG file. Once the
> server has received the attacker's JPEG file, mime_content_type() will
> process it, correctly consider it to be a valid image file, and return
> the MIME type "image/jpeg" -- which passes Vtiger's "mime type check".
> 
> http://b.fl7.de/2016/01/vtiger-crm-6.4-auth-rce.html

As far as we can tell, the main issue you are reporting is that the
product attempts to forbid executable content within otherwise safe
file types, and does this incorrectly.

Use CVE-2016-1713.

There are no other CVE IDs for your report. For example, the ability
of the attacker to use the .php extension, although unusual, does not
seem to be an entirely separate problem.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWlSyAAAoJEL54rhJi8gl5Wy0QALHdBn98mgUGkRiZXOA/1KJh
+b7q1rarXguIemZGi1/KU+yuI84gKb7QBpIsJz2ZxEPuJH814oDaDLLi9wnhWWg8
m1U1DVY5d7+1gGlQa8fJ3Ra6QDcCmyoDEX1VY+suQElPnm9P/CJp/68R6IUCx70A
2ZKFMFW4vTQvulK4bKfO9TVtKwl2hrGU6AG4Sj4qDCgOau/3xfFNlyzPNrKECJ6g
cJzjg/eGbQXgkaqqUOyeMe/74kNmWjFWuCd3oHugPZtvehdtJvun7idyXu31AZGN
+hDYOInRl6OL9zEc4eo38tqNk0IFAqpeAiyPuWtk2YgFMheeeTsKzl4kkqTlN56W
15CbScMyZfcQpd0DL0NAho4MPBXSDmxRBZKoAx37kPx1SCGo+UjbBGCv9UiZ3wmU
k55CKsppZWv+QyfmB/E8EUKBDerB2+k7scJImRpXGsILxCy+ZdyWt5s+iIUBZbFI
tGLqGOxEQm/StHoupBZcIxdulcE85RDt9IBXcfoz8anJNPXCF3Qts6TZoW89jpsc
Gpgawu6PXaUVFrvAsx0P20EJUEU0pz1R1U011KGetPwknmyJM/BMvjyio4JY9eMw
xoG+yxsD6slrvQFVKbV+5vfrUGvMGKVitUm84hXjPAzJDmmg/ZttjWM9h3LawGju
v+PULkENNk1Wx2PoQHug
=N8Vg
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.