CVE-2013-3214
published 2020-01-28CVE-2013-3214: vtiger CRM 5.4.0 and earlier contain a PHP Code Injection Vulnerability in 'vtigerolservice.php'.
PriorityP278critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
84.54%
99.7th percentile
vtiger CRM 5.4.0 and earlier contain a PHP Code Injection Vulnerability in 'vtigerolservice.php'.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| vtiger | vtiger_crm | <= 5.4.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
commandAddEmailAttachment SOAP with filename=../../../../../../<file>.php and base64-encoded PHP payload in filedata↗
- →Detect unauthenticated POST requests to the vtigerolservice.php SOAP endpoint, particularly invoking the AddEmailAttachment method with a filename containing directory traversal sequences (../../). ↗
- →Look for SOAP requests to /soap/vtigerolservice.php with Content-Type 'text/xml' and a body containing the AddEmailAttachment action and a .php filename in the filename element. ↗
- →Monitor for HTTP GET requests to /vtigercrm/soap/<random>.php immediately after a POST to the AddEmailAttachment endpoint, indicating payload execution after upload. ↗
- →Authentication bypass can be detected by SOAP calls to validateSession-protected methods where the sessionid parameter is omitted, set to 0, or null — causing validateSession() to return true against a null server_sessionid. ↗
- →Detect SOAP envelope requests using the vtiger CRM namespace (xmlns:crm="http://www.vtiger.com/products/crm") targeting the AddEmailAttachment or CheckEmailPermission operations. ↗
- →Alert on newly created .php files appearing inside the /soap/ directory of a vTiger CRM installation, as the exploit writes the uploaded payload there. ↗
- →The filetype field in the AddEmailAttachment SOAP body is set to 'php' during exploitation; inspect SOAP body for filetype=php combined with base64-encoded filedata. ↗
- ·The vendor patch (http://www.vtiger.com/blogs/?p=1467) does not fully remediate CVE-2013-3214; authenticated users can still inject and execute arbitrary code after patching. ↗
- ·The exploit requires combining two vulnerabilities: the authentication bypass (CVE-2013-3215) and the arbitrary file upload via AddEmailAttachment (CVE-2013-3214); detection logic should account for both being used in sequence. ↗
- ·The payload is sent base64-encoded inside a POST SOAP request with a maximum space of 256k; detection rules should handle large base64-encoded SOAP bodies. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
vTiger CRM 5.4.0 SOAP - AddEmailAttachment Arbitrary File Upload (Metasploit)
exploitdb·2014-01-07
CVE-2013-3214 vTiger CRM 5.4.0 SOAP - AddEmailAttachment Arbitrary File Upload (Metasploit)
vTiger CRM 5.4.0 SOAP - AddEmailAttachment Arbitrary File Upload (Metasploit)
---
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'rexml/document'
class Metasploit3 'vTiger CRM SOAP AddEmailAttachment Arbitrary File Upload',
'Description' => %q{
vTiger CRM allows an user to bypass authentication when requesting SOAP services.
In addition, arbitrary file upload is possible through the AddEmailAttachment SOAP
service. By combining both vulnerabilities an attacker can upload and execute PHP
code. This module has been tested successfully on vTiger CRM v5.4.0 over Ubuntu
10.04 and Windows 2003 SP2.
},
'Author' =>
[
'Egidio Romano', # Vulnerability discovery
'juan vazquez' # msf
Exploit-DB
vTiger CRM 5.4.0 SOAP - Multiple Vulnerabilities
exploitdb·2013-08-02
CVE-2013-3215 vTiger CRM 5.4.0 SOAP - Multiple Vulnerabilities
vTiger CRM 5.4.0 SOAP - Multiple Vulnerabilities
---
vtiger CRM debug("Entering customer portal function get_list_values");
2) The vulnerable code is located in the get_project_components SOAP method defined in /soap/customerportal.php:
2778. function get_project_components($id,$module,$customerid,$sessionid) {
2779. require_once("modules/$module/$module.php");
2780. require_once('include/utils/UserInfoUtil.php');
2781.
2782. global $adb,$log;
2783. $log->debug("Entering customer portal function get_project_components ..");
The vulnerabilities exist because these methods fail to properly validate input passed through the "module"
parameter, that is being used in a call to the require_once() function (lines 1530 and 2779). This might be
exploited to include arbitrary local files contai
Metasploit
vTiger CRM SOAP AddEmailAttachment Arbitrary File Upload
metasploit
vTiger CRM SOAP AddEmailAttachment Arbitrary File Upload
vTiger CRM SOAP AddEmailAttachment Arbitrary File Upload
vTiger CRM allows a user to bypass authentication when requesting SOAP services. In addition, arbitrary file upload is possible through the AddEmailAttachment SOAP service. By combining both vulnerabilities an attacker can upload and execute PHP code. This module has been tested successfully on vTiger CRM v5.4.0 over Ubuntu 10.04 and Windows 2003 SP2.
No writeups or analysis indexed.
2020-01-28
Published