Post Thu Sep 26, 2013 5:38 am

HTB23172: Multiple Vulnerabilities in X2CRM

Advisory ID: HTB23172
Product: X2CRM
Vendor: X2Engine Inc.
Vulnerable Versions: 3.4.1 and probably prior
Tested Version: 3.4.1
Advisory Published: September 4, 2013
Vendor Notification: September 4, 2013
Vendor Fix: September 10, 2013
Public Disclosure: September 25, 2013
Vulnerability Type: PHP File Inclusion [CWE-98], Cross-Site Scripting [CWE-79]
CVE References: CVE-2013-5692, CVE-2013-5693
Risk Level: High
CVSSv2 Base Scores: 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C), 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab

Advisory Details:
High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in X2CRM, which can be exploited to include arbitrary local files and execute arbitrary PHP code, as well as to perform Cross-Site Sripting (XSS) attacks against users of vulnerable application.

1) PHP File Inclusion in X2CRM: CVE-2013-5692
The vulnerability exists due to insufficient filtration of the "file" HTTP GET parameter passed to "/index.php/admin/translationManager" URL before using it in PHP "include()" function. A remote authenticated administrator can include and execute arbitrary local PHP files on the target system using directory traversal sequences.
The following exploitation example displays content of "/etc/passwd" file:
Successful exploitation of this vulnerability requires administrative privileges, however it can be also exploited via CSRF vector to which the application is prone.
Simple CSRF exploit below includes and executes "/tmp/file.php" script:
<img src="http://[host]/index.php/admin/translationManager?file=../../../../../tmp/file.php">

2) Cross-Site Scripting (XSS) in X2CRM: CVE-2013-5693
The vulnerability exists due to insufficient sanitisation of user-supplied data in "model" HTTP GET parameter passed to "/index.php/admin/editor" URL. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.
The exploitation example below uses JavaScript "alert()" function to display administrator's cookies:
http://[host]/index.php/admin/editor?model=%3C/script%3E%3Cscript%3Ealert%28document.cookie%29;%3C/s cript%3E

Update to X2CRM 3.5

More Information: ... -released/

[1] High-Tech Bridge Advisory HTB23172 - - Multiple vulnerabilities in X2CRM.
[2] X2CRM - - X2CRM is an open source based Sales, Marketing Automation and Service application designed exclusively for companies that require a tightly focused customer information system.
[3] Common Vulnerabilities and Exposures (CVE) - - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
[5] ImmuniWeb® - - is High-Tech Bridge's proprietary web application security assessment solution with SaaS delivery model that combines manual and automated vulnerability testing.