Multiple vulnerabilities have been found in the open source customer relationship management software SugarSales (SugarCRM). These vulnerabilities are:
Some of the vulnerabilities described in this advisory can only be exploited while logged into SugarSales, however some of them can be exploited to bypass the logon process.
Vulnerable Systems:
* SugarSales versions up to 2.0.1c
Immune Systems:
* SugarSales version 2.0.1c or newer
SQL Injection Scope:
Due to insufficient input validation, an attacker can manipulate the SQL statements that are sent to the database. Two exploits exist for this flaw where one can be only used when logged into SugarSales, while the other one can be used to log into SugarSales. Both of these vulnerabilities have been fixed in version 2.0.1a.
Login:
An attacker can log into SugarSales using the username "admin' or 1=1 -- " (without the double quotes) and any password.
Retrieving Data:
Once logged in, an attacker can also perform SQL injection to retrieve data, using a request such as (to be considered one line): http://host/sugarcrm/index.php?action=DetailView&module=Opportunities&record=xxx' union select 1, 2, 3, 4, 5, 6, user_name, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, user_password from users limit 1, 1 --
Of course as the attacker is already logged in, there is not much use in performing this SQL injection anyway. All modules seem to be affected.
Full Path Disclosure: Scope:
A lot of scripts show the full path if unexpected input is encountered. This allows an attacker to enumerate the system and locate the webroot. This flaw has not yet been fixed (as of version 2.0.1c).
File Inclusion/Remote Command Execution Scope:
Due to insufficient input validation of user input that is later used in include() or require() directives, an attacker is able to disclose arbitrary files by specifying their path in certain HTTP GET parameters.
Two file inclusions can only be exploited while logged into SugarSales, however again there are numerous other file inclusion flaws that can be used to bypass the logon process without the knowledge of a username or password.
As with all such file inclusion flaws, remote command execution is just the blink of an eye away. If the attacker is able to log in (e.g. as described above using SQL injection) and upload text files or find the webserver log file, he can gain a comfortable web-shell and take control over the server.
Modules and Actions (only possible when logged in): http://host/Sugarcrm/index.php?module=/../../etc/hosts%00&action=EditView
http://host/Sugarcrm/index.php?module=Calls%00&action=/../../etc/hosts%00
Include files (possible to exploit when not logged in): http://host/sugarcrm/modules/Users/Login.php?theme=/../../../etc/hosts%00
http://host/sugarcrm/modules/Calls/index.php?theme=/../../../etc/hosts%00
These flaw can be found in numerous other files in the modules directory.
Neither of the two flaws have been fixed as of version 2.0.1c.
Install Scripts Scope:
After a successful installation of SugarSales, the install script files are not removed or locked, unless they are manually deleted by the administrator of the site. An attacker can use the install scripts to perform a denial of service attack by dropping the tables and replacing them with the default ones. However more importantly, the MySQL password can be found in plain text in one of the install script forms.
Counter Measures:
Until a fix is available, set the following parameters in php.ini: register_globals = Off
magic_quotes = On
Manually delete the /install directory.
Disclosure Timeline:
Nov. 17: Notified vendor
Nov. 22: Vendor reply
Nov. 24: Release of 2.0.1a, which fixes only SQL Injection
Nov. 25: Notification to vendor that not all vulnerabilities were fixed by the patch
Nov. 28: Supplied vendor with a patch for the file inclusion flaws
Dec. 08: Release of 2.0.1c which still does not fix file inclusion flaws
Dec. 13: Disclosure of the vulnerabilities
Vendor Status:
The vendor has been notified and fixed some of the vulnerabilities we have reported in version 2.0.1a. Even though we supplied them with an patch for the other vulnerabilities, the patch has been neither applied to version 2.0.1b nor 2.0.1c. As a result, we are now posting the advisory.
