***April 2nd, 2012 UPDATE: Some users may experience performance issues after applying the security patch below. If you do experience performance issues, please download and apply this patch after applying the security patch.
As many of you are aware, Vtiger CRM Open Source 6.0 is still under development and is slated for a May release. For those currently using Vtiger CRM Open Source 5.4, we would like to recommend applying a new security patch, which fixes a series of vulnerabilities reported by Mr. Nick Freeman from security-assessment.com and Mr. Egidio. The patch covers the following discovered vulnerabilities:
Local File Inclusion
Local File Deletion
SQL Injection
PHP Code Injection
Cross site scripting
Arbitrary File Upload
Authentication Bypass vulnerabilities(SOAP API’s)
1. Before deploying the patch
It is essential to have an available backup of your Vtiger installation in the result of any errors. To do this, create a copy of the entire Vtiger folder, and place it in a different location. As there is no database change in this particular case, a database dump is unnecessary.
2. Obtaining the patch files
Download the patch files from:
SourceForge Vtiger Link
3. Upload the patch files to your Vtiger CRM 5.4.0 folder
4. Extract the patch files to that directory, overwriting any files as necessary
