From theall at tenable.com  Wed Apr 25 19:36:51 2012
From: theall at tenable.com (George A. Theall)
Date: Wed, 25 Apr 2012 20:36:51 -0400
Subject: [VIM] vtiger CRM 'module_name' Parameter Local File Include
	Vulnerability
Message-ID: <A4512727-C108-467C-8218-6FB1098DA4F6@tenable.com>

BID 47263 covers a local file inclusion vulnerability involving the 'module_name' parameter  as used in the vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php script that John Leitch reported in April 2011 (http://packetstormsecurity.org/files/100182/vtiger-CRM-5.2.1-Local-File-Inclusion.html). 

BID 52671 concerns what appears to be the same vulnerability, presumably based on EDB 18635 (which is now MIA) / 18770 / http://packetstormsecurity.org/files/111075/Vtiger-5.1.0-Local-File-Inclusion.html.

Rob?


George
-- 
theall at tenablesecurity.com




From rkeith at securityfocus.com  Thu Apr 26 10:13:35 2012
From: rkeith at securityfocus.com (Rob Keith)
Date: Thu, 26 Apr 2012 09:13:35 -0600
Subject: [VIM] vtiger CRM 'module_name' Parameter Local File
	Include	Vulnerability
In-Reply-To: <A4512727-C108-467C-8218-6FB1098DA4F6@tenable.com>
References: <A4512727-C108-467C-8218-6FB1098DA4F6@tenable.com>
Message-ID: <4F99661F.5080705@securityfocus.com>

Hey George,

One and the same. We'll get that fixed up.

Thanks,
Rob

George A. Theall wrote:
> BID 47263 covers a local file inclusion vulnerability involving the 'module_name' parameter  as used in the vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php script that John Leitch reported in April 2011 (http://packetstormsecurity.org/files/100182/vtiger-CRM-5.2.1-Local-File-Inclusion.html). 
> 
> BID 52671 concerns what appears to be the same vulnerability, presumably based on EDB 18635 (which is now MIA) / 18770 / http://packetstormsecurity.org/files/111075/Vtiger-5.1.0-Local-File-Inclusion.html.
> 
> Rob?
> 
> 
> George