Are you looking to have your application properly secured by an experienced professional? Contact us today for a free private consultation. We specialize in web application security, mobile security, and also offer general consultation services. Click here for more information regarding all of our security services.
SugarCRM Multiple Vulnerabilities
Vendor: SugarCRM
Product: SugarCRM
Version: <= 2.0
Website: http://www.sugarcrm.com
BID: 11740
CVE: CVE-2004-1227 CVE-2004-1228
OSVDB: 12120 12228 12229 12230
SECUNIA: 13287
Description:
Sugar Sales Professional is the solution for companies who use Sugar Sales in a production environment for mission-critical sales knowledge management. Sugar Sales Professional is a visible source CRM application that offers more features than the open source application. It also includes support by SugarCRM staff. Sugar Sales Professional expands the open source application benefits so that your company experiences better performance, integration and support.


Cross Site Scripting:
SugarCRM suffers from a great number of Cross Site Scripting issues. Below are examples of the issues.

/index.php?action=UnifiedSearch&module=Home&search_form=false&query _string=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E /index.php?module=Accounts&action=ListView&query=true&name=[XSS]

There are also a large number of XSS issues when scripts ar called directly. For example

/index.php?action=index&module=Home&mod_strings[LNK_NEW_CONTACT]= %3Cscript%3Ealert(document.cookie)%3C/script%3E

/modules/Users/Error.php?app_strings[NTC_CLICK_BACK]=%3Cscript%3Ealert(document.cookie)%3C/script%3E

I am sure that there are many more XSS issues than these, but a very large number are due to scripts not being secure when include scripts are called. This should not be too hard to fix. Majority of these Cross Site Scripting issues are not present if register globals is off, but are present in the latest version of SugarCRM (2.0)


HTML/Script Injection:
HTML/Script Injection issues were all found by Damon Wood while working with GulfTech Security Research. Almost all input fields when adding emails, calls, contacts, accounts etc are not properly sanitized and can lead to possible client side code execution.


SQL Injection Vulnerabilities:
There are several SQL Injection issues in SugarCRM that may allow an attacker to view or change sensitive information.

index.php?action=DetailView&module=Accounts&record=[SQL]

Anywhere you see the "record" variable SQL Injection is possible.


File Include Vulnerability:
This vulnerability may allow for an attacker to retrieve or view the contents of files on the remote machine, only being limited to the privileges of the webserver

/index.php?module=Opportunities&action=../../../../../../../../etc /passwd%00&advanced=true
/index.php?action=DetailView&module=../../../../../etc/passwd%00

So, basically anywhere you can view the action or module field you can include files on the local machine.


Solution:
The SugarCRM 2.0.1d patch in late December addressed the issues and they have been re-verified in the subsequent 2.5.1 and 3.0 releases.


Credits:
James Bercegay of the GulfTech Security Research Team