logo upload vulnerability in vtiger 7.5 and possibly 8.0

There is a new logo upload vulnerability exploited in the wild in vtiger 7.5 and possibly 8.0 similar to the one fixed for 7.1 in 2019.

Some of my customers have a php file instead of a vtiger logo in the header of vtiger, and in test/logo I’ ve found an uploaded file manager too! Reading the access.log file I’ve found the hackers did access vtiger via webservice, and uploaded files.

192.42.116.196 - - [06/Oct/2023:19:17:24 +0000] "POST /webservice.php HTTP/1.1" 200 4746 "-" "python-requests/2.28.1" 192.42.116.196 - - [06/Oct/2023:19:17:26 +0000] "POST /webservice.php HTTP/1.1" 200 4764 "-" "python-requests/2.28.1" 192.42.116.196 - - [06/Oct/2023:19:17:28 +0000] "GET /test/logo/0da80d31.php HTTP/1.1" 200 4550 "-" "python-requests/2.28.1" 192.42.116.196 - - [06/Oct/2023:19:17:37 +0000] "POST /test/logo/0da80d31.php HTTP/1.1" 200 4560 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt; YComp 5.0.2.6; yplus 1.0)"

I suggest to add a .htaccess file in test/logo to disable accessing files other than images. If you need more info, let me know