vTiger CRM AddEmailAttachment arbitrary file upload

Added: 01/10/2014
CVE: CVE-2013-3214
BID: 61558
OSVDB: 95902

Background

vTiger CRM is a customer relationship management application written in PHP.

Problem

An arbitrary file upload vulnerability when handling SOAP AddEmailAttachment requests allows remote attackers to execute arbitrary commands by uploading PHP scripts under the web root.

Resolution

Upgrade to version 6.0 when available, or apply the patch. Note that the patch only prevents exploitation by unauthenticated attackers.

References

http://seclists.org/bugtraq/2013/Aug/7

Limitations

Exploit works on vTiger CRM 5.4.0.
Back to exploit index