Search | Research | Contact Us Tuesday January 17, 2022
Languages
Most Viewed Items
  1 PHPXMLRPC Library Remote Code Execution
  2 Multiple Invision Power Board Vulnerabilities
  3 eBay And Amazon Still Vulnerable
  4 XOOPS 2.0.11 && Earlier Multiple Vulnerabilities
  5 Woltlab Burning Board SQL Injection Vulnerability
  6 When Small Mistakes Can Cause Big Problems
  7 Multiple Vulnerabilities In phpWebsite
  8 Critical Vulnerability In Help Center Live
  9 dbPowerAmp Buffer Overflow And DoS Vulnerabilities
10 Document Object Model Hijacking Explained
Need Secure Code?
Quick Search
You can use the form below to search our site. Just enter the keywords to search.
Home Services Archives Research Downloads Contact
Multiple Vulnerabilities In SugarCRM
December 1, 2021
Vendor : SugarCRM
URL : http://www.sugarcrm.com
Version : SugarCRM 1.5 & 2.0
Risk : Multiple Vulnerabilities
BID : http://www.securityfocus.com/bid/11740


Description:
Sugar Sales Professional is the solution for companies who use Sugar Sales in a production environment for mission-critical sales knowledge management. Sugar Sales Professional is a visible source CRM application that offers more features than the open source application. It also includes support by SugarCRM staff. Sugar Sales Professional expands the open source application benefits so that your company experiences better performance, integration and support.


Cross Site Scripting:
SugarCRM suffers from a great number of Cross Site Scripting issues. Below are examples of the issues.

/index.php?action=UnifiedSearch&module;=Home&search;_form=false&query; _string=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E /index.php?module=Accounts&action;=ListView&query;=true&name;=[XSS]

There are also a large number of XSS issues when scripts ar called directly. For example

/index.php?action=index&module;=Home&mod;_strings[LNK_NEW_CONTACT]= %3Cscript%3Ealert(document.cookie)%3C/script%3E

/modules/Users/Error.php?app_strings[NTC_CLICK_BACK]=%3Cscript%3Ealert(document.cookie)%3C/script%3E

I am sure that there are many more XSS issues than these, but a very large number are due to scripts not being secure when include scripts are called. This should not be too hard to fix. Majority of these Cross Site Scripting issues are not present if register globals is off, but are present in the latest version of SugarCRM (2.0)


HTML/Script Injection:
HTML/Script Injection issues were all found by Damon Wood while working with GulfTech Security Research. Almost all input fields when adding emails, calls, contacts, accounts etc are not properly sanitized and can lead to possible client side code execution.


SQL Injection Vulnerabilities:
There are several SQL Injection issues in SugarCRM that may allow an attacker to view or change sensitive information.

index.php?action=DetailView&module;=Accounts&record;=[SQL]

Anywhere you see the "record" variable SQL Injection is possible.


File Include Vulnerability:
This vulnerability may allow for an attacker to retrieve or view the contents of files on the remote machine, only being limited to the privileges of the webserver

/index.php?module=Opportunities&action;=../../../../../../../../etc /passwd%00&advanced;=true
/index.php?action=DetailView&module;=../../../../../etc/passwd%00

So, basically anywhere you can view the action or module field you can include files on the local machine.


Solution:
The SugarCRM 2.0.1d patch in late December addressed the issues and they have been re-verified in the subsequent 2.5.1 and 3.0 releases.


Credits:
James Bercegay of the GulfTech Security Research Team