In Vtiger CRM any user can change User name to admin!
Yes that is correct. We recently came across this critical issue with Vtiger 6.x.
Vtiger allows users to change their User name from My preferences page. There is no check for duplicates and as such user can change his/her User name to anything, even to admin.
To reproduce this issue:
- Login to your CRM (any user admin, non-admin)
- Go to My Preferences
- Click on Edit
- Enter any value for User name field (try even admin)
Surprisingly this would change your User name (to admin if you have entered admin).
And this would prevent any User with that same name from login.
Although User cannot do Quick edit on the User name field, but can change it from Full Edit form.
On the contrary if we try to add new user with duplicate User name that does not work and throws error.
How to fix it ?
The fix is very simple, change the user_name field’s displaytype to “2” in the vtiger_field table.
To track the issue at Vtiger Git repository, follow below link: