|
|
|
|
| |
Credit:
The information has been provided by Patrick Hof, Jens Liebchen, Claus R. F. Overbeck.
The original article can be found at: http://www.redteam-pentesting.de/advisories/rt-sa-2011-002
|
| |
Vulnerable Systems:
* SugarCRM Community Edition prior to version 6.1.2
* SugarCRM Professional prior to version 6.1.2
* SugarCRM Enterprise prior to version 6.1.2
Immune Systems:
* SugarCRM Community Edition version 6.1.3
* SugarCRM Professional version 6.1.3
* SugarCRM Enterprise version 6.1.3
SugarCRM supports defining so-called roles, that have a given set of privileges for each object type, such as customers (called "accounts"), calls and opportunities. A role can then be assigned to users, to which the defined privileges apply.
These privileges, among others, include View, Edit, Delete and List. The List privilege controls to what extent a list of existing objects can be accessed. It may be set to All, Owner or None. When set to Owner, users to which this applies can only see the objects they own, such as customers assigned to them.
When trying to create, for example, a new customer, SugarCRM performs a duplicate check and warns the user, if a customer using the same name already exists. The warning page includes a listing of the conflicting entries, regardless of their owner. Furthermore, when reloading the page at this point, it shows a complete list of all customers, even if the user's List privilege is limited to Owner. Directly accessing the URL of this page works in the same way. This likewise applies to contact entries, too.
Proof of Concept:
The following URL displays a list of all customers ("accounts"):
http://www.example.org/sugarcrm/index.php?module=Accounts&action=ShowDuplicates
The following URL displays a list of all contacts:
http://www.example.org/sugarcrm/index.php?module=Contacts&action=ShowDuplicates
CVE Information:
CVE-2011-0745
Disclosure Timeline:
2010-09-14 Vulnerability identified
2011-02-09 Vendor notified
2011-03-10 Vendor releases fix
2011-03-15 Advisory released
|
|
|
|
|
