CVE-2012-4867
published 2012-09-06CVE-2012-4867: Directory traversal vulnerability in modules/com_vtiger_workflow/sortfieldsjson.php in vtiger CRM 5.1.0 allows remote attackers to read arbitrary files via a…
PriorityP267medium5CVSS 2.0
AVNACLAuNCPINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
3.50%
87.7th percentile
Directory traversal vulnerability in modules/com_vtiger_workflow/sortfieldsjson.php in vtiger CRM 5.1.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the module_name parameter.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| vtiger | vtiger_crm | — | — |
Detection & IOCsextracted from sources · hover to see the quote
urlhttps://localhost/vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=../../../../../../../../etc/passwd%00↗
- →Detect directory traversal attempts targeting the module_name parameter in sortfieldsjson.php; look for '../' sequences or URL-encoded equivalents (%2e%2e%2f) in GET requests to this endpoint. ↗
- →Monitor HTTP requests to /modules/com_vtiger_workflow/sortfieldsjson.php containing null byte (%00) in the module_name parameter, which is used to terminate the filename string and bypass extension checks. ↗
- →Alert on unauthenticated GET requests to sortfieldsjson.php with module_name values containing multiple '../' traversal sequences, especially targeting sensitive OS files such as /etc/passwd. ↗
- ·The exploit was tested specifically on CentOS 6; traversal depth (number of '../' sequences) may need adjustment depending on the web root installation path on other OS/distributions. ↗
- ·The null byte (%00) termination technique is only effective on PHP installations where the underlying C runtime respects null-terminated strings for file operations; this is patched in PHP 5.3.4+. ↗
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-4qjj-4hrh-m4vv: Directory traversal vulnerability in modules/com_vtiger_workflow/sortfieldsjson
ghsa_unreviewed·2022-05-17
CVE-2012-4867 [MEDIUM] CWE-22 GHSA-4qjj-4hrh-m4vv: Directory traversal vulnerability in modules/com_vtiger_workflow/sortfieldsjson
Directory traversal vulnerability in modules/com_vtiger_workflow/sortfieldsjson.php in vtiger CRM 5.1.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the module_name parameter.
VulnCheck
vtiger vtiger_crm Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
vulncheck·2012·CVSS 5.0
CVE-2012-4867 [MEDIUM] vtiger vtiger_crm Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
vtiger vtiger_crm Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Directory traversal vulnerability in modules/com_vtiger_workflow/sortfieldsjson.php in vtiger CRM 5.1.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the module_name parameter.
Affected: vtiger vtiger_crm
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://isc.sans.edu/diary/10+Years+Later+Attacker+rediscovering+old+VTiger+CRM+Vulnerability/29098/
No detection rules found.
No writeups or analysis indexed.
2012-09-06
Published
Exploited in the wild