Summary:DBAppsecurity Security Research Team discovers multi SQL Injection Vulnerabilities in vtiger CRM application.

Impact:SQL Injection

Risk:High

Affected Software:Vtiger CRM System 5.0.2

Detail:
DBAPPSecurity Security Research Team discovered multi SQL Injection Vulnerabiility in vtiger CRM system. Through our pen-test tool or even manually, one can easily exploit it and gain all information in backend mysql database, as well as more severe controls.

Here are few URL are subject to this vulnerabilities:

http://192.168.3.53:80/index.php?module=Accounts&action=AccountsAjax&file=ListView&ajax=true&order_by=accountname&start=0&sorder=DESC&viewname=5 SQL Injection Type: MYSQL_NUM_TYPE_1
Mysql database name: vtigercrm502
Mysql User: root@0x90909090

http://192.168.3.53:80/index.php?module=PurchaseOrder&action=PurchaseOrderAjax&file=ListView&ajax=true&order_by=subject&start=0&sorder=DESC&smodule=PO&viewname=25 SQL Injection Type: MYSQL_NUM_TYPE_1
Mysql database name: vtigercrm502
Mysql User: root@0x90909090

Further more, one can gain any table information/content from here on.

Of course from now on any table info/content can be gained after this.

We have searched over the vtiger related NVD/CVE database and this vulnerability was not mentioned.

The CRM version where this vulnerability found is latest version so far: 5.0.2, OS was windows but we believe it is same bug with linux.

CVE Information:CVE ID:Upcoming

Acknowledgment:DBAppsecurity Security Research Team.

About DBAppsecurity:DBAPPSecurity is a company focused on application security and database Security.

Disclaimer:This information shall never be abused.

Contact:info@dbappsecurity.com