vtiger CRM Exploit Bots

I recently noticed various similar entries in my web server’s error log:

[date+time] [error] [client IP] File does not exist: /path/to/vtigercrm

The access log contained 404 entries of the form

IP - - [date+time] 
"GET /vtigercrm/graph.php?current_language=../../../../../../../..//etc/elastix.conf%00&module=Accounts&action 
HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9) Gecko/2008052906 Firefox/3.0"

starting about March 2012 and going on until today.

The files required also include /etc/asterisk/sip_additional.conf, /etc/amportal.conf, indicating a search for free communication means.

Sometimes there is only a request probing whether the /vtigercrm directory or the /vtigercrm/index.php file exist.

The internetz know more about vtiger CRM exploits, such as this advisory describing a couple of vulnerabilities, e.g. directory traversal to retrieve the contents of a configuration file by passing the current_language parameter.

If only PHP programmers knew that their programming language is full of holes, and created code accordingly.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.