SQL Injection Vtiger CRM v7.1.0- CVE-2019–11057

Hello! I am Mohnish Dhage. I’m a Security Analyst and a Bug Bounty Enthusiast. I would like to share one of my recent findings which resulted in my first CVE ID (CVE-2019–11057). The vulnerability was found Vtiger’s open source CRM version 7.1.0.

Summary

The Vtiger’s Open Source CRM version 7.1.0 is vulnerable to SQL injection via src_record parameter which allows an authenticated user to read, update and delete table/data from the SQL database.

Proof of Concept

Figure1: Testing if src_record parameter is vulnerable to SQLi with a single quotation mark(‘)

Note: The figure above shows that the query was unsuccessful, and the length of the response is 9,690 bytes.

Figure2: Testing if src_record parameter is vulnerable to SQLi with 2 single quotation mark(‘’)

Note: The figure above shows that the query was successful, and the length of response is 10,957 bytes verifying that the parameter might be vulnerable to SQL injection.

Figure3: Checking the version of SQL database by exploiting SQLi

Query Used:-3096 union select 100' UNION ALL SELECT version(),NULL,NULL,NULL,NULL,NULL,NULL,NULL — IJXL

You can insert SQL queries of your choice to exploit the database even further, one can even use Sqlmap to gain shell using the os-shell switch. The issue was reported to Vtiger team on 21st March 2019 and was resolved on 3rd April 2019 in hotfix3 release by Vtiger. The announcement link is shared below:

Patch download link:

CVE-2019–11057 link:

Test Details

Affected Vtiger CRM Version: 7.1.0 (Open Source)

Release Date: 05/03/2019

Test Date: 20/03/2019

Download URL: https://excellmedia.dl.sourceforge.net/project/vtigercrm/vtiger%20CRM%207.1.0/Core%20Product/vtigercrm7.1.0.tar.gz

That’s all Folks!

Regards,

Mohnish Dhage