CVE-2009-3249

Name of the Vulnerable Software and Affected Versions vtiger CRM version 5.0.4

Description The issue allows remote attackers to include and execute arbitrary local files via directory traversal vulnerabilities. This can be achieved by including a .. (dot dot) in the module parameter to "graph.php", or the module or file parameter to "include/Ajax/CommonAjax.php", which can be reached through various modules such as "modules/Campaigns/CampaignsAjax.php", "modules/SalesOrder/SalesOrderAjax.php", and others. Additionally, remote authenticated users can include and execute arbitrary local files via a .. (dot dot) in the step parameter in an Import action to certain modules, including Accounts, Contacts, HelpDesk, Leads, Potentials, Products, or Vendors, reachable through "index.php" and related to "modules/Import/index.php" and multiple "Import.php" files.

Recommendations For vtiger CRM version 5.0.4, consider disabling the vulnerable graph.php and include/Ajax/CommonAjax.php files, as well as restricting access to the step parameter in Import actions for the affected modules until a patch is available. Restrict access to the vulnerable modules, such as "modules/Campaigns/CampaignsAjax.php", "modules/SalesOrder/SalesOrderAjax.php", and others, to minimize the risk of exploitation. Avoid using the module and file parameters in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.