Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

[KIS-2019-07] SugarCRM <= 9.0.1 Multiple PHP Code Injection Vulnerabilities

From: Egidio Romano <research () karmainsecurity com>
Date: Thu, 10 Oct 2019 20:39:22 +0200
-------------------------------------------------------------
SugarCRM <= 9.0.1 Multiple PHP Code Injection Vulnerabilities
-------------------------------------------------------------


[-] Software Link:

https://www.sugarcrm.com


[-] Affected Versions:

Version 9.0.1 and prior versions, 8.0.3 and prior versions.


[-] Vulnerabilities Description:
1) When handling the "Locale" action within the "Administration" module the application allows to inject arbitrary settings into the 'config_override.php' file. This can be exploited by malicious users to inject and execute arbitrary PHP code by e.g. setting to .php the file extension for the system log file. Successful exploitation of this 
vulnerability requires a System Administrator account.
2) When handling the "SaveRelationship" action within the "ModuleBuilder" module the application allows to inject arbitrary settings into the 'config_override.php' file. This can be exploited by malicious users to inject and execute arbitrary PHP code 
by e.g. setting to .php the file extension for the system log file.
3) When handling the "PasswordManager" action within the "Administration" module the application allows to inject arbitrary settings into the 'config_override.php' file. This can be exploited by malicious users to inject and execute arbitrary PHP code by e.g. setting to .php the file extension for the system log file. Successful exploitation of this vulnerability requires a System Administrator account.
4) When handling the "saveadminwizard" action within the "Configurator" module the application allows to inject arbitrary settings into the 'config_override.php' file. This can be exploited by malicious users to inject and execute arbitrary PHP code by e.g. setting to .php the file extension for the system log file. Successful exploitation of this vulnerability requires a System Administrator account.
5) When handling the "trackersettings" action within the "Trackers" module the application allows to inject arbitrary settings into the 'config_override.php' file. This can be exploited by malicious users to inject and execute arbitrary PHP code by 
e.g. setting to .php the file extension for the system log file.
6) When handling the "updatewirelessenabledmodules" action within the "Administration" module the application allows to inject arbitrary settings into the 'config_override.php' file. This can be exploited by malicious users to inject and execute arbitrary PHP code by e.g. setting to .php the file extension for the system log file. Successful exploitation of this vulnerability requires a System Administrator account. 


[-] Solution:

Upgrade to version 9.0.2, 8.0.4, or later.


[-] Disclosure Timeline:

[07/02/2019] - Vendor notified
[01/10/2019] - Versions 9.0.2 and 8.0.4 released
[10/10/2019] - Publication of this advisory


[-] Credits:

Vulnerabilities discovered by Egidio Romano.


[-] Original Advisory:

http://karmainsecurity.com/KIS-2019-07


[-] Other References:

https://support.sugarcrm.com/Documentation/Sugar_Versions/9.0/Ent/Sugar_9.0.2_Release_Notes

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: