lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 10 Oct 2019 20:39:22 +0200
From: Egidio Romano <research@...mainsecurity.com>
To: fulldisclosure@...lists.org
Subject: [FD] [KIS-2019-07] SugarCRM <= 9.0.1 Multiple PHP Code Injection
 Vulnerabilities

-------------------------------------------------------------
SugarCRM <= 9.0.1 Multiple PHP Code Injection Vulnerabilities
-------------------------------------------------------------


[-] Software Link:

https://www.sugarcrm.com


[-] Affected Versions:

Version 9.0.1 and prior versions, 8.0.3 and prior versions.


[-] Vulnerabilities Description:

1) When handling the "Locale" action within the "Administration" module 
the application
allows to inject arbitrary settings into the 'config_override.php' file. 
This can be
exploited by malicious users to inject and execute arbitrary PHP code by 
e.g. setting
to .php the file extension for the system log file. Successful 
exploitation of this
vulnerability requires a System Administrator account.

2) When handling the "SaveRelationship" action within the 
"ModuleBuilder" module the
application allows to inject arbitrary settings into the 
'config_override.php' file.
This can be exploited by malicious users to inject and execute arbitrary 
PHP code
by e.g. setting to .php the file extension for the system log file.

3) When handling the "PasswordManager" action within the 
"Administration" module the
application allows to inject arbitrary settings into the 
'config_override.php' file.
This can be exploited by malicious users to inject and execute arbitrary 
PHP code
by e.g. setting to .php the file extension for the system log file. 
Successful
exploitation of this vulnerability requires a System Administrator 
account.

4) When handling the "saveadminwizard" action within the "Configurator" 
module the
application allows to inject arbitrary settings into the 
'config_override.php' file.
This can be exploited by malicious users to inject and execute arbitrary 
PHP code by
e.g. setting to .php the file extension for the system log file. 
Successful
exploitation of this vulnerability requires a System Administrator 
account.

5) When handling the "trackersettings" action within the "Trackers" 
module the
application allows to inject arbitrary settings into the 
'config_override.php' file.
This can be exploited by malicious users to inject and execute arbitrary 
PHP code by
e.g. setting to .php the file extension for the system log file.

6) When handling the "updatewirelessenabledmodules" action within the 
"Administration"
module the application allows to inject arbitrary settings into the 
'config_override.php'
file. This can be exploited by malicious users to inject and execute 
arbitrary PHP code
by e.g. setting to .php the file extension for the system log file. 
Successful
exploitation of this vulnerability requires a System Administrator 
account.


[-] Solution:

Upgrade to version 9.0.2, 8.0.4, or later.


[-] Disclosure Timeline:

[07/02/2019] - Vendor notified
[01/10/2019] - Versions 9.0.2 and 8.0.4 released
[10/10/2019] - Publication of this advisory


[-] Credits:

Vulnerabilities discovered by Egidio Romano.


[-] Original Advisory:

http://karmainsecurity.com/KIS-2019-07


[-] Other References:

https://support.sugarcrm.com/Documentation/Sugar_Versions/9.0/Ent/Sugar_9.0.2_Release_Notes

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists