SugarCRM 9.0.1 PHP Code Injection

SugarCRM versions 9.0.1 and below suffer from multiple PHP code injection vulnerabilities.


MD5 | 1138730283969f03621d804b3942381f

-------------------------------------------------------------
SugarCRM <= 9.0.1 Multiple PHP Code Injection Vulnerabilities
-------------------------------------------------------------


[-] Software Link:

https://www.sugarcrm.com


[-] Affected Versions:

Version 9.0.1 and prior versions, 8.0.3 and prior versions.


[-] Vulnerabilities Description:

1) When handling the "Locale" action within the "Administration" module
the application
allows to inject arbitrary settings into the 'config_override.php' file.
This can be
exploited by malicious users to inject and execute arbitrary PHP code by
e.g. setting
to .php the file extension for the system log file. Successful
exploitation of this
vulnerability requires a System Administrator account.

2) When handling the "SaveRelationship" action within the
"ModuleBuilder" module the
application allows to inject arbitrary settings into the
'config_override.php' file.
This can be exploited by malicious users to inject and execute arbitrary
PHP code
by e.g. setting to .php the file extension for the system log file.

3) When handling the "PasswordManager" action within the
"Administration" module the
application allows to inject arbitrary settings into the
'config_override.php' file.
This can be exploited by malicious users to inject and execute arbitrary
PHP code
by e.g. setting to .php the file extension for the system log file.
Successful
exploitation of this vulnerability requires a System Administrator
account.

4) When handling the "saveadminwizard" action within the "Configurator"
module the
application allows to inject arbitrary settings into the
'config_override.php' file.
This can be exploited by malicious users to inject and execute arbitrary
PHP code by
e.g. setting to .php the file extension for the system log file.
Successful
exploitation of this vulnerability requires a System Administrator
account.

5) When handling the "trackersettings" action within the "Trackers"
module the
application allows to inject arbitrary settings into the
'config_override.php' file.
This can be exploited by malicious users to inject and execute arbitrary
PHP code by
e.g. setting to .php the file extension for the system log file.

6) When handling the "updatewirelessenabledmodules" action within the
"Administration"
module the application allows to inject arbitrary settings into the
'config_override.php'
file. This can be exploited by malicious users to inject and execute
arbitrary PHP code
by e.g. setting to .php the file extension for the system log file.
Successful
exploitation of this vulnerability requires a System Administrator
account.


[-] Solution:

Upgrade to version 9.0.2, 8.0.4, or later.


[-] Disclosure Timeline:

[07/02/2019] - Vendor notified
[01/10/2019] - Versions 9.0.2 and 8.0.4 released
[10/10/2019] - Publication of this advisory


[-] Credits:

Vulnerabilities discovered by Egidio Romano.


[-] Original Advisory:

http://karmainsecurity.com/KIS-2019-07


[-] Other References:

https://support.sugarcrm.com/Documentation/Sugar_Versions/9.0/Ent/Sugar_9.0.2_Release_Notes



Related Posts