Menu

SalesAgility

Random thoughts, frustration, highs and lows from the world of Open Source CRM.

PHP code injection using an image in popular open source CRM systems [0-day]

Or, "a lie gets halfway around the world before the truth has a chance to get its pants on" (Winston Churchill).

The headline was the subject of a blog post last week and referred to alleged vulnerabilities in SuiteCRM.

Let's just tackle this head on: There is no vulnerability to be addressed here. This is a sensationalist article. It is irresponsible, duplicitous and mendacious.

Irresponsible

There is a protocol for reporting vulnerabilities that all responsible technology companies follow – you alert the authors of the software first to give them time to fix the flaw. If they don't fix it, then you go public. In a bid to gain headlines, this idiot flouted that protocol. Dumb move. Even dumber move is that there is no truth in his sensational headline. He's a dumb, attention-seeking, malevolent, unprofessional fool.

Duplicitous

One question is “what's the motive for this?” The answer is straightforward: Yetiforce has a forked version of Vtiger, a second rate open source CRM, that they publish under an open source license that is not recognised by OSI (Open Source Institute). They have little traction and less credibility. By publishing slanderous claims against established and properly constituted open source projects, they hope to gain publicity. They probably have, so maybe it's job done for them in the short term. But this is a marathon and not a sprint.

Mendacious

Other words I could use to describe the article and its author include fraudulent, insincere, deceitful, perfidious, lying or fallacious. Can I make it any clearer? I invite them to sue me if I am wrong.

The Truth

We are just picking over the bones of the latest SuiteCRM vulnerability and penetration tests. We commission a well-known, third-party software security consultancy to audit SuiteCRM several times a year. We act on the output and address the vulnerabilities. All the changes that need to be made in this and every scan we commission find their way into SuiteCRM in a timely fashion. We take security very seriously.


The world of open source does not benefit from the kind of shameful behaviour indulged in by Yetiforce.

The world's large companies implement open source ...

Comments 5

 
Frank Sagurna on Tuesday, 05 September 2017 07:18

Ok, good, that you make that clear, but if "All the changes ... find their way into SuiteCRM in a timely fashion. We take security very seriously."
why are major security bugs like github #3867 and #4099 not fixed yet?

Ok, good, that you make that clear, but if "All the changes ... find their way into SuiteCRM in a timely fashion. We take security very seriously." why are major security bugs like github #3867 and #4099 not fixed yet?
Greg Soper on Thursday, 07 September 2017 03:46
Type : Maintenance Patch & Security Patch

SuiteCRM 7.9.5

Type : Maintenance Patch & Security Patch

Version : 7.9.5

Released : 06-09-2017

Bug Fixes

Security Issue #3688 Adding escaping to EmailUIAjax.php
Security Issue #4202 Adding blocking module fields in AOW
Security Issue #4203 Add ajaxUILoc XSS protection
Security Issue #4096 System email template access issue
Security Issue #4094 Relationship removal access issue
Security Issue #3851 Improved clean html for sugar fields
Security Issue #3088 Send correct password reset email
Security Issue #3651 Remove delete button in bulk action
Security Issue #3875 Prevents users from editing other employees data
Security Issue #4209 Prevents users from inline editing without access
Security Issue #4102 Only an admin user can set admin access for users

#4140 Fix non-matching delaration of relationship methods in ModuleBuilder
#3903 Fixed #3903 - use correct charset
#4104 Incorrect reference to Suite R+
#4107 Fix for issue Sorting of fields in condition list
#4181 Fixes missing labels
#3898 Duplicated language strings
#4034 Unused language string removal
#3931 Case Typo in html entity
#3623 Fullcalendar - Fixing typo on pt-PT weekdays long format
#3723 Fixed #3723 History summary not sorted SuiteCRM
#3704 Fixed #3704 - Cannot sort by "Account Name" in "Target Lists => Details => Contacts"
#4107 Fix for issue Sorting of fields in condition list #4107
#3919 Fixed #3919 - All archived mails show the same body
#4084 Fixed #4084 - Option "contains" not available in MultiSelect Field
#4074 Fixed installer checkbox html
#4033 Fixed #4033 - Email DetailView does not show recipient/sender-data
#4053 Fixed #4053 - 'send Quote by Email' may send to wrong address
#4048 Fixed #4048 - 7.9.4 - doesn't close window if you reply to, reply to all, forward to imported email
#3735 Fixed #3735 - Undefined values using templates from account module in 7.9.1
#3791 Fixed #3791 - Problems with Umlauts in E-Mail-Client
#3863 Fixed #3863 - Umlauts in signature lose encoding in compose-view
#3420 Fixed #3420 - Regular user does not reach email address field in Reports module
#4062 AOR Reports: Combined PR for AOR fixes

Users of ALL previous 7.9.x releases are advised to Upgrade to 7.9.5 as soon as possible.

Thank you to all community members who contributed, tested and helped with this release.

SuiteCRM 7.9.5 Type : Maintenance Patch & Security Patch Version : 7.9.5 Released : 06-09-2017 Bug Fixes Security Issue #3688 Adding escaping to EmailUIAjax.php Security Issue #4202 Adding blocking module fields in AOW Security Issue #4203 Add ajaxUILoc XSS protection Security Issue #4096 System email template access issue Security Issue #4094 Relationship removal access issue Security Issue #3851 Improved clean html for sugar fields Security Issue #3088 Send correct password reset email Security Issue #3651 Remove delete button in bulk action Security Issue #3875 Prevents users from editing other employees data Security Issue #4209 Prevents users from inline editing without access Security Issue #4102 Only an admin user can set admin access for users #4140 Fix non-matching delaration of relationship methods in ModuleBuilder #3903 Fixed #3903 - use correct charset #4104 Incorrect reference to Suite R+ #4107 Fix for issue Sorting of fields in condition list #4181 Fixes missing labels #3898 Duplicated language strings #4034 Unused language string removal #3931 Case Typo in html entity #3623 Fullcalendar - Fixing typo on pt-PT weekdays long format #3723 Fixed #3723 History summary not sorted SuiteCRM #3704 Fixed #3704 - Cannot sort by "Account Name" in "Target Lists => Details => Contacts" #4107 Fix for issue Sorting of fields in condition list #4107 #3919 Fixed #3919 - All archived mails show the same body #4084 Fixed #4084 - Option "contains" not available in MultiSelect Field #4074 Fixed installer checkbox html #4033 Fixed #4033 - Email DetailView does not show recipient/sender-data #4053 Fixed #4053 - 'send Quote by Email' may send to wrong address #4048 Fixed #4048 - 7.9.4 - doesn't close window if you reply to, reply to all, forward to imported email #3735 Fixed #3735 - Undefined values using templates from account module in 7.9.1 #3791 Fixed #3791 - Problems with Umlauts in E-Mail-Client #3863 Fixed #3863 - Umlauts in signature lose encoding in compose-view #3420 Fixed #3420 - Regular user does not reach email address field in Reports module #4062 AOR Reports: Combined PR for AOR fixes Users of ALL previous 7.9.x releases are advised to Upgrade to 7.9.5 as soon as possible. Thank you to all community members who contributed, tested and helped with this release.
Greg Soper on Tuesday, 05 September 2017 10:36

@Frank Sagurna: Both have been fixed and will be in a security release that's imminent (next 48 hours). We'll be wrapping up a number of other security issues in this release. I think everyone who wants SuiteCRM to succeed will like this one :-)

@Frank Sagurna: Both have been fixed and will be in a security release that's imminent (next 48 hours). We'll be wrapping up a number of other security issues in this release. I think everyone who wants SuiteCRM to succeed will like this one :-)
Mausino112 on Tuesday, 05 September 2017 21:36
Processes to scan and detect/uncover the security bugs

We are also using many open source code/programs and i am wondering about security that many people did not take it seriously. (as we saw in SugarCRM CE).

Me and many my colleges are impressed about processes/procedures which you're using for detect/uncover the security bugs.

Will it possible to write a blog about how you're detecting/uncover security bugs, program to scan or more info about how it is working for newbies or programmer. The security is too much important for every company and i think that will very interesting to learn from your company how do the security. // sorry for english

We are also using many open source code/programs and i am wondering about security that many people did not take it seriously. (as we saw in SugarCRM CE). Me and many my colleges are impressed about processes/procedures which you're using for detect/uncover the security bugs. Will it possible to write a blog about how you're detecting/uncover security bugs, program to scan or more info about how it is working for newbies or programmer. The security is too much important for every company and i think that will very interesting to learn from your company how do the security. // sorry for english
Greg Soper on Wednesday, 06 September 2017 03:54
Blog post

@Mausino112 - thank you for your encouraging words. We aim to get the engineers to do some blogging in the next 12 months and that would be a good topic.

@Mausino112 - thank you for your encouraging words. We aim to get the engineers to do some blogging in the next 12 months and that would be a good topic.