Wednesday, October 5, 2011

vTiger CRM 5.2.x | PHP Version Disclosure

How do attackers try to know PHP version if the server has disabled "X-Powered-By" header (i.e expose_php = Off)? 

The vTiger CRM has a flaw that allows attackers to know exact PHP version without authentication.

 Attacker can know it by simply visiting the following url without authentication.

 /phpversionfail.php

 The message shows:
"PHP 5.0.x or above is required. Your current PHP version is 5.3
Kindly upgrade the PHP installation, any try again! "


Version Affected:

Tested on vTiger CRM 5.2.1