CVE-2005-3820

Name of the Vulnerable Software and Affected Versions vTiger CRM versions 4.2 and earlier

Description The issue allows remote attackers to read or include arbitrary files and ultimately execute arbitrary PHP code via directory traversal vulnerabilities. This is achieved by using .. (dot dot) and null byte ("%00") sequences in the module parameter and action parameter in the Leads module. Attackers can also inject PHP code into log messages and access the log file.

Recommendations For vTiger CRM versions 4.2 and earlier, consider restricting access to the Leads module and limiting the ability to inject PHP code into log messages until a fix is available. As a temporary workaround, restrict the use of the module and action parameters in the index.php file to minimize the risk of exploitation.