#1790::logo upload vulnerability in vtiger 7.5 and possibly 8.0

modules/Settings/Vtiger/actions/CompanyDetailsSave.php

@@ -37,8 +37,8 @@ class Settings_Vtiger_CompanyDetailsSave_Action extends Settings_Vtiger_Basic_Ac
                                 $logoDetails = $_FILES['logo'];
 				$saveLogo = Vtiger_Functions::validateImage($logoDetails);
                                 global $upload_badext;// from config.inc.php
-				$binFileName = sanitizeUploadFileName($logoDetails['name'], $upload_badext);
-				if ($saveLogo && pathinfo($binFileName, PATHINFO_EXTENSION) != 'txt') {
+				$logoName = sanitizeUploadFileName($logoDetails['name'], $upload_badext);
+				if ($saveLogo && pathinfo($logoName, PATHINFO_EXTENSION) != 'txt') {
 					$moduleModel->saveLogo($logoName);
                                 } else {
 					$saveLogo = false;

modules/Users/Users.php

@@ -1067,7 +1067,7 @@ class Users extends CRMEntity {
         $encryptFileName = Vtiger_Util_Helper::getEncryptedFileName($binFile);
 		$upload_status = move_uploaded_file($filetmp_name,$upload_file_path.$current_id."_".$encryptFileName);
 
-		if($save_file == 'true') {
+		if($save_file) {
 
 			$sql1 = "insert into vtiger_crmentity (crmid,smcreatorid,smownerid,setype,description,createdtime,modifiedtime) values(?,?,?,?,?,?,?)";
 			$params1 = array($current_id, $current_user->id, $ownerid, $module." Image", $this->column_fields['description'], $this->db->formatString("vtiger_crmentity","createdtime",$date_var), $this->db->formatDate($date_var, true));

modules/Vtiger/helpers/ShowFile.php

@@ -64,6 +64,7 @@ class Vtiger_ShowFile_Helper {
 	 * @param type $fileType - image file type
 	 */
 	static function show($finalFilePath, $fileType, $sanitizedFileName=false) {
+                ob_end_clean();
 		$handle = fopen($finalFilePath, "rb");
 		$contents = fread($handle, filesize($finalFilePath));
 		fclose($handle);