Vtiger CRM Open Source Edition Remote Code Execution Vulnerability

A remote code execution vulnerability has been identified in Vtiger CRM Open Source Edition versions through 8.3.0. This issue allows an attacker with admin privileges to execute arbitrary PHP code by exploiting the ZIP import functionality within the Module Import feature. The vulnerability arises because the system does not properly validate the contents of uploaded ZIP files, enabling the inclusion of malicious PHP files that can be executed on the server.

Impact

Exploitation of this vulnerability could lead to a full server takeover.

Reproduction

To reproduce this vulnerability, first upload a ZIP file containing a malicious PHP payload, such as a reverse shell, into the 'List.php' file. This ZIP file should also include a 'manifest.xml' file that specifies the module details. After uploading the ZIP file through the 'Import Module from Zip' option in the Module Management section, the malicious PHP file can be executed by accessing the imported module, which will trigger the reverse shell connection.

Remediation

It is recommended to disable the Module Import feature.