| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <576C5BF1.8050005@karmainsecurity.com>
Date: Fri, 24 Jun 2016 00:00:17 +0200
From: Egidio Romano <research@...mainsecurity.com>
To: bugtraq@...urityfocus.com, fulldisclosure@...lists.org
Subject: [FD] [KIS-2016-03] SugarCRM <= 6.5.18 (SAML Authentication) XML
External Entity Vulnerability
--------------------------------------------------------------------------
SugarCRM <= 6.5.18 (SAML Authentication) XML External Entity Vulnerability
--------------------------------------------------------------------------
[-] Software Link:
http://www.sugarcrm.com/
[-] Affected Versions:
Version 6.5.18 CE and prior versions.
[-] Vulnerability Description:
The vulnerable code is located in the constructor method of the "SamlResponse" class:
63. function __construct($settings, $assertion) {
64. $this->settings = $settings;
65. $this->assertion = base64_decode($assertion);
66. $this->xml = new DOMDocument();
67. $this->xml->loadXML($this->assertion);
68. }
Which is being called by the "authenticateUser" method of the "SAMLAuthenticateUser" class:
75. $samlresponse = new SamlResponse($settings, $_POST['SAMLResponse']);
User input passed through the "SAMLResponse" POST parameter isn't properly sanitized before being used in a call
to the "DOMDocument::loadXML()" method, and there are no calls to the "libxml_disable_entity_loader()" function.
This can be exploited by unauthenticated attackers to carry out XML External Entity (XXE) attacks. Successful
exploitation of this vulnerability requires SAML authentication to be enabled (disabled by default).
[-] Solution:
Update to version 6.5.19 CE or higher.
[-] Disclosure Timeline:
[15/10/2014] - Vendor notified
[18/10/2014] - Vendor acknowledgement
[15/12/2014] - Version 6.5.19 CE released: http://bit.do/sugar6519
[29/04/2015] - CVE number requested
[23/06/2016] - Public disclosure
[-] CVE Reference:
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has not assigned a CVE identifier for this vulnerability.
[-] Credits:
Vulnerability discovered by Egidio Romano.
[-] Original Advisory:
http://karmainsecurity.com/KIS-2016-03
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists