what you don't know can hurt you

SugarCRM 9.0.1 Path Traversal

SugarCRM 9.0.1 Path Traversal
Posted Oct 11, 2019
Authored by EgiX | Site karmainsecurity.com

SugarCRM versions 9.0.1 and below suffer from multiple path traversal vulnerabilities.

tags | exploit, vulnerability
MD5 | 07e61544723cdaf57099f0133cbf81e8

SugarCRM 9.0.1 Path Traversal

Change Mirror Download
---------------------------------------------------------
SugarCRM <= 9.0.1 Multiple Path Traversal Vulnerabilities
---------------------------------------------------------


[-] Software Link:

https://www.sugarcrm.com


[-] Affected Versions:

Version 9.0.1 and prior versions, 8.0.3 and prior versions.


[-] Vulnerabilities Description:

1) User input passed to the "/Mail/attachment" REST API endpoint is not
properly
sanitized before being used to delete a file from the system. This can
be exploited
by malicious users to delete arbitrary files via Path Traversal attacks.
Please
note this vulnerability could be exploited to delete the 'config.php'
file and
re-install the application, potentially leading to a full server
compromise.

2) User input passed through the "temp_id" parameter to the
"/[module]/temp/file"
REST API endpoint is not properly sanitized before being used to
download/delete a
file from the system. This can be exploited by malicious users to
download and/or
delete arbitrary files via Path Traversal attacks. Please note this
vulnerability
could be exploited to download and delete the 'config.php' file and
re-install
the application, potentially leading to a full server compromise.

3) User input passed through the "dropdown_lang" parameter when handling
the "wizard"
action within the "Studio" module is not properly sanitized before being
used in a
call to the include() PHP function. This can be exploited by malicious
users to upload
and execute arbitrary PHP code via Path Traversal attacks. Successful
exploitation
of this vulnerability requires an user account with Developer access to
any module.

4) User input passed through the "filename" parameter when handling the
"deleteFont"
action within the "Configurator" module is not properly sanitized before
being used
to delete a file from the system. This can be exploited by malicious
users to delete
arbitrary files. Please note this vulnerability could be exploited to
delete the
'config.php' file and re-install the application, potentially leading to
a full
server compromise. Successful exploitation of this vulnerability
requires a
System Administrator account.


[-] Solution:

Upgrade to version 9.0.2, 8.0.4, or later.


[-] Disclosure Timeline:

[07/02/2019] - Vendor notified
[01/10/2019] - Versions 9.0.2 and 8.0.4 released
[10/10/2019] - Publication of this advisory


[-] Credits:

Vulnerabilities discovered by Egidio Romano.


[-] Original Advisory:

http://karmainsecurity.com/KIS-2019-06


[-] Other References:

https://support.sugarcrm.com/Documentation/Sugar_Versions/9.0/Ent/Sugar_9.0.2_Release_Notes


Login or Register to add favorites

File Archive:

June 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    10 Files
  • 2
    Jun 2nd
    16 Files
  • 3
    Jun 3rd
    15 Files
  • 4
    Jun 4th
    25 Files
  • 5
    Jun 5th
    8 Files
  • 6
    Jun 6th
    0 Files
  • 7
    Jun 7th
    0 Files
  • 8
    Jun 8th
    0 Files
  • 9
    Jun 9th
    0 Files
  • 10
    Jun 10th
    0 Files
  • 11
    Jun 11th
    0 Files
  • 12
    Jun 12th
    0 Files
  • 13
    Jun 13th
    0 Files
  • 14
    Jun 14th
    0 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    0 Files
  • 20
    Jun 20th
    0 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close