oss-sec mailing list archives
XRMS SQLi to RCE 0day
From: "Benjamin Harris" <bch () hush ai>
Date: Wed, 27 Aug 2014 23:14:31 +0100
Hi OSS-Security: Can I request a CVE for this please? XRMS Description: ---------------------- The most advanced open source customer relationship management (CRM), Sales Force Automation (SFA) suite: also features business intelligence (BI) tools, Computer Telephony Integration (CTI), and advanced plugin architecture. PHP/ADOdb/LAMP Brief: ------------------------------- I tried to report this to the developers/get it fixed a month ago, although I've had no response from the developers. This should work against latest, was found a long time ago, and I recently found it while brushing off some hard drives. Details: ------------------------ We get SQL injection via $_SESSION poisoning which we use to retrieve admin credentials. We then authenticate with these credentials and exploit a trivial command injection. Attached is a working POC. Many thanks, Ben
Attachment:
release.py
Description:
Current thread:
- XRMS SQLi to RCE 0day Benjamin Harris (Aug 27)
- Re: XRMS SQLi to RCE 0day cve-assign (Aug 29)