vtiger CRM 5.2.1 Multiple Remote Cross-Site Scripting Vulnerabilities

Title: vtiger CRM 5.2.1 Multiple Remote Cross-Site Scripting Vulnerabilities
Advisory ID: ZSL-2011-5052
Type: Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 26.10.2011
Summary
vtiger CRM is a free, full-featured, 100% Open Source CRM software ideal for small and medium businesses, with low-cost product support available to production users that need reliable support.
Description
vtiger CRM suffers from a XSS vulnerability when parsing user input to the '_operation' and 'search' parameters via GET method in '/modules/mobile/index.php' script. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user's browser session.
Vendor
vTiger - http://www.vtiger.com
Affected Version
5.2.1
Tested On
Microsoft Windows XP Professional SP3 (EN)
Apache/2.0.52 (Win32)
PHP/5.2.6
MySQL 5.0.51b-community-nt-log
Vendor Status
[28.07.2011] Vulnerabilities discovered.
[28.07.2011] Initial contact with the vendor.
[29.07.2011] Vendor replies asking more details.
[29.07.2011] Sent details to vendor.
[01.08.2011] Requested status update from vendor.
[02.08.2011] Vendor investigates and confirms issues.
[02.08.2011] Asked vendor for patch release date.
[04.08.2011] No reply from vendor.
[05.08.2011] Asked vendor to specify patch release date.
[05.08.2011] Vendor plans to release the 5.3.0 RC by the end of the month.
[21.08.2011] Asked vendor for specific patch release date.
[22.08.2011] Vendor replies promising official release by mid September.
[14.09.2011] Asked vendor for update.
[14.09.2011] Vendor replies extending official release date.
[26.10.2011] Coordinated public security advisory released.
PoC
vtiger_xss.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] http://wiki.vtiger.com/index.php/Vtiger530:Release_Notes
[2] http://www.exploit-db.com/ghdb/3737/
[3] http://packetstormsecurity.org/files/106229
[4] http://securityreason.com/wlb_show/WLB-2011100099
[5] http://secunia.com/advisories/42304/
[6] http://www.securityfocus.com/bid/50364
[7] http://xforce.iss.net/xforce/xfdb/70983
Changelog
[26.10.2011] - Initial release
[27.10.2011] - Added reference [7]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk