Detections
Analytics

vTiger CRM Directory File Disclosure

medium Nessus Plugin ID 30108

Language:

Synopsis

The remote web server contains a PHP application that allows listing of directory content,

Description

The remote instance of vTiger allows an unauthenticated attacker to view the contents of application directories, which could lead to the disclosure of sensitive information.

Note that the solution does not prevent an attacker from retrieving files by guessing their names, only obtaining a directory listing when one is not otherwise available.

Solution

Upgrade to vTiger CRM 5.0.4 RC or later and if necessary rename the file 'htaccess.txt' in the 'vtigerCRM' directory under the web server's document root to '.htaccess'.

See Also

http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/2107

http://sourceforge.net/project/shownotes.php?release_id=567189

Plugin Details

Severity: Medium

ID: 30108

File Name: vtiger_htaccess_info_disclosure.nasl

Version: 1.18

Type: remote

Family: CGI abuses

Published: 1/28/2008

Updated: 4/11/2022

Configuration: Enable thorough checks (optional)

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.5

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N

Vulnerability Information

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Ease: No exploit is required

Reference Information

CVE: CVE-2008-3458

BID: 27228

CWE: 200