SQL Injection Vtiger CRM v7.1.0- CVE-2019–11057
Hello! I am Mohnish Dhage. I’m a Security Analyst and a Bug Bounty Enthusiast. I would like to share one of my recent findings which resulted in my first CVE ID (CVE-2019–11057). The vulnerability was found Vtiger’s open source CRM version 7.1.0.
The Vtiger’s Open Source CRM version 7.1.0 is vulnerable to SQL injection via src_record parameter which allows an authenticated user to read, update and delete table/data from the SQL database.
Proof of Concept
Note: The figure above shows that the query was unsuccessful, and the length of the response is 9,690 bytes.
Note: The figure above shows that the query was successful, and the length of response is 10,957 bytes verifying that the parameter might be vulnerable to SQL injection.
Query Used: “-3096 union select 100' UNION ALL SELECT version(),NULL,NULL,NULL,NULL,NULL,NULL,NULL — IJXL “
You can insert SQL queries of your choice to exploit the database even further, one can even use Sqlmap to gain shell using the os-shell switch. The issue was reported to Vtiger team on 21st March 2019 and was resolved on 3rd April 2019 in hotfix3 release by Vtiger. The announcement link is shared below:
Dear members, Vtiger 7.1.0 (Hotfix3) is now available. Download hotfix: vtigercrm7.1.0-hotfix3.zip This patch addresses…lists.vtigercrm.com
Patch download link:
Download Vtiger CRM for free. An enterprise-class CRM and more! Vtiger CRM enables sales, support, and marketing teams…sourceforge.net
CVE-2019-11057 : SQL injection vulnerability in Vtiger CRM before 7.1.0 hotfix3 allows authenticated users to execute…www.cvedetails.com
Affected Vtiger CRM Version: 7.1.0 (Open Source)
Release Date: 05/03/2019
Test Date: 20/03/2019
That’s all Folks!