vTiger CRM 5.2.x | PHP Version Disclosure

How do attackers try to know PHP version if the server has disabled "X-Powered-By" header (i.e expose_php = Off)? 

The vTiger CRM has a flaw that allows attackers to know exact PHP version without authentication.

 Attacker can know it by simply visiting the following url without authentication.

 /phpversionfail.php

 The message shows:
"PHP 5.0.x or above is required. Your current PHP version is 5.3
Kindly upgrade the PHP installation, any try again! "


Version Affected:

Tested on vTiger CRM 5.2.1 

Popular posts from this blog

CubeCart 3.0.20 (3.0.x) and lower | Multiple Cross Site Scripting Vulnerabilities

Open-Realty CMS 3.x | Persistent Cross Site Scripting (XSS) Vulnerability