vTiger CRM 5.2.x | PHP Version Disclosure

How do attackers try to know PHP version if the server has disabled "X-Powered-By" header (i.e expose_php = Off)? 

The vTiger CRM has a flaw that allows attackers to know exact PHP version without authentication.

 Attacker can know it by simply visiting the following url without authentication.

 /phpversionfail.php

 The message shows:
"PHP 5.0.x or above is required. Your current PHP version is 5.3
Kindly upgrade the PHP installation, any try again! "


Version Affected:

Tested on vTiger CRM 5.2.1 

Popular posts from this blog

Open-Realty CMS 3.x | Persistent Cross Site Scripting (XSS) Vulnerability

OxWall 1.1.1 <= Multiple Cross Site Scripting Vulnerabilities (CVE-2012-0872)

Jcow CMS 4.x:4.2 <= , 5.x:5.2 <= | Arbitrary Code Execution