Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20140827221432.152E3C00FB@smtp.hushmail.com>
Date: Wed, 27 Aug 2014 23:14:31 +0100
From: "Benjamin Harris" <bch@...h.ai>
To: fulldisclosure@...lists.org, oss-security@...ts.openwall.com
Subject: XRMS SQLi to RCE 0day

Hi

OSS-Security: Can I request a CVE for this please?

XRMS Description:
----------------------

The most advanced open source customer relationship management 
(CRM), Sales Force Automation (SFA) suite: also features business 
intelligence (BI) tools, Computer Telephony Integration (CTI), and 
advanced plugin architecture. PHP/ADOdb/LAMP

Brief:
-------------------------------

I tried to report this to the developers/get it fixed a month ago, 
although I've had no response from the developers. This should work 
against latest, was found a long time ago, and I recently found it 
while brushing off some hard drives.

Details:
------------------------

We get SQL injection via $_SESSION poisoning which we use to 
retrieve admin credentials. We then authenticate with these 
credentials and exploit a trivial command injection. Attached is a 
working POC.

Many thanks,
Ben
View attachment "release.py" of type "text/x-python" (8063 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.