cbcvebase.
CVE-2014-2268
published 2014-11-16

CVE-2014-2268: views/Index.php in the Install module in vTiger 6.0 before Security Patch 2 does not properly restrict access, which allows remote attackers to re-install the…

PriorityP347medium5CVSS 2.0
AVNACLAuNCNINAP
EXPLOIT
EPSS
31.21%
98.0th percentile
views/Index.php in the Install module in vTiger 6.0 before Security Patch 2 does not properly restrict access, which allows remote attackers to re-install the application via a request that sets the X-Requested-With HTTP header, as demonstrated by executing arbitrary PHP code via the db_name parameter.

Affected

22 ranges
VendorProductVersion rangeFixed in
vtigervtiger_crm
vtigervtiger_crm
vtigervtiger_crm
vtigervtiger_crm
vtigervtiger_crm
vtigervtiger_crm
vtigervtiger_crm
vtigervtiger_crm
vtigervtiger_crm
vtigervtiger_crm
vtigervtiger_crm
vtigervtiger_crm
vtigervtiger_crm
vtigervtiger_crm
vtigervtiger_crm
vtigervtiger_crm
vtigervtiger_crm
vtigervtiger_crm
vtigervtiger_crm
vtigervtiger_crm
vtigervtiger_crm
vtigervtiger_crm

Detection & IOCsextracted from sources · hover to see the quote

urlindex.php?module=Install&view=Index&mode=Step5
urlindex.php?module=Install&view=Index&mode=Step7
pathviews/Index.php
pathconfig.inc.php
commanddb_name=127.0.0.1'; if(isset($_GET['<rand_arg>'])){ <payload> } //
  • Detect exploitation attempts by inspecting HTTP requests to the vTiger Install module: look for GET requests to index.php with parameters module=Install, view=Index, and mode=Step5 or mode=Step7 combined with the presence of an X-Requested-With header.
  • Alert on HTTP requests containing SQL/PHP injection patterns in the db_name parameter, specifically strings containing single-quote followed by PHP isset() or similar PHP code constructs.
  • Monitor for GET requests to config.inc.php immediately following requests to the Install module endpoint, as the exploit triggers payload execution by fetching config.inc.php with a random GET argument.
  • Flag any HTTP request to the vTiger Install module (module=Install) that originates from an unauthenticated session, as the vulnerability allows re-installation without authentication by setting the X-Requested-With header.
  • ·Exploitation overwrites the target database configuration file (config.inc.php), which may permanently break the vTiger web application and prevent further exploitation or recovery.
  • ·The payload is injected via the db_name GET parameter and must not contain the '#' character (BadChars), which may limit certain payload types.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.