CVE-2014-2268
published 2014-11-16CVE-2014-2268: views/Index.php in the Install module in vTiger 6.0 before Security Patch 2 does not properly restrict access, which allows remote attackers to re-install the…
PriorityP347medium5CVSS 2.0
AVNACLAuNCNINAP
EXPLOIT
EPSS
31.21%
98.0th percentile
views/Index.php in the Install module in vTiger 6.0 before Security Patch 2 does not properly restrict access, which allows remote attackers to re-install the application via a request that sets the X-Requested-With HTTP header, as demonstrated by executing arbitrary PHP code via the db_name parameter.
Affected
22 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| vtiger | vtiger_crm | — | — |
| vtiger | vtiger_crm | — | — |
| vtiger | vtiger_crm | — | — |
| vtiger | vtiger_crm | — | — |
| vtiger | vtiger_crm | — | — |
| vtiger | vtiger_crm | — | — |
| vtiger | vtiger_crm | — | — |
| vtiger | vtiger_crm | — | — |
| vtiger | vtiger_crm | — | — |
| vtiger | vtiger_crm | — | — |
| vtiger | vtiger_crm | — | — |
| vtiger | vtiger_crm | — | — |
| vtiger | vtiger_crm | — | — |
| vtiger | vtiger_crm | — | — |
| vtiger | vtiger_crm | — | — |
| vtiger | vtiger_crm | — | — |
| vtiger | vtiger_crm | — | — |
| vtiger | vtiger_crm | — | — |
| vtiger | vtiger_crm | — | — |
| vtiger | vtiger_crm | — | — |
| vtiger | vtiger_crm | — | — |
| vtiger | vtiger_crm | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploitation attempts by inspecting HTTP requests to the vTiger Install module: look for GET requests to index.php with parameters module=Install, view=Index, and mode=Step5 or mode=Step7 combined with the presence of an X-Requested-With header. ↗
- →Alert on HTTP requests containing SQL/PHP injection patterns in the db_name parameter, specifically strings containing single-quote followed by PHP isset() or similar PHP code constructs. ↗
- →Monitor for GET requests to config.inc.php immediately following requests to the Install module endpoint, as the exploit triggers payload execution by fetching config.inc.php with a random GET argument. ↗
- →Flag any HTTP request to the vTiger Install module (module=Install) that originates from an unauthenticated session, as the vulnerability allows re-installation without authentication by setting the X-Requested-With header. ↗
- ·Exploitation overwrites the target database configuration file (config.inc.php), which may permanently break the vTiger web application and prevent further exploitation or recovery. ↗
- ·The payload is injected via the db_name GET parameter and must not contain the '#' character (BadChars), which may limit certain payload types. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Vtiger - 'Install' Remote Command Execution (Metasploit)
exploitdb·2014-04-10
CVE-2014-2268 Vtiger - 'Install' Remote Command Execution (Metasploit)
Vtiger - 'Install' Remote Command Execution (Metasploit)
---
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 'Vtiger Install Unauthenticated Remote Command Execution',
'Description' => %q{
This module exploits an arbitrary command execution vulnerability in the
Vtiger install script. This module is set to ManualRanking due to this
module overwriting the target database configuration, which may result in
a broken web app, and you may not be able to get a session again.
},
'Author' =>
[
'Jonathan Borgeaud ' # Navixia Research Team
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2014-2268' ],
[ 'URL', 'https://www.navixia.com/blog/entry/navixia-find-critica
Metasploit
Vtiger Install Unauthenticated Remote Command Execution
metasploit
Vtiger Install Unauthenticated Remote Command Execution
Vtiger Install Unauthenticated Remote Command Execution
This module exploits an arbitrary command execution vulnerability in the Vtiger install script. This module is set to ManualRanking due to this module overwriting the target database configuration, which may result in a broken web app, and you may not be able to get a session again.
No writeups or analysis indexed.
http://vtiger-crm.2324883.n4.nabble.com/Vtigercrm-developers-IMP-forgot-password-and-re-installation-security-fix-tt9786.htmlhttp://www.exploit-db.com/exploits/32794http://www.securityfocus.com/bid/66757https://www.navixia.com/blog/entry/navixia-find-critical-vulnerabilities-in-vtiger-crm-cve-2014-2268-cve-2014-2269.htmlhttp://vtiger-crm.2324883.n4.nabble.com/Vtigercrm-developers-IMP-forgot-password-and-re-installation-security-fix-tt9786.htmlhttp://www.exploit-db.com/exploits/32794http://www.securityfocus.com/bid/66757https://www.navixia.com/blog/entry/navixia-find-critical-vulnerabilities-in-vtiger-crm-cve-2014-2268-cve-2014-2269.html
2014-11-16
Published