-------------------------------------------------------------
SugarCRM <= 9.0.1 Multiple PHP Code Injection Vulnerabilities
-------------------------------------------------------------


[-] Software Link:

https://www.sugarcrm.com


[-] Affected Versions:

Version 9.0.1 and prior versions, 8.0.3 and prior versions.


[-] Vulnerabilities Description:

1) When handling the "Locale" action within the "Administration" module 
the application
allows to inject arbitrary settings into the 'config_override.php' file. 
This can be
exploited by malicious users to inject and execute arbitrary PHP code by 
e.g. setting
to .php the file extension for the system log file. Successful 
exploitation of this
vulnerability requires a System Administrator account.

2) When handling the "SaveRelationship" action within the 
"ModuleBuilder" module the
application allows to inject arbitrary settings into the 
'config_override.php' file.
This can be exploited by malicious users to inject and execute arbitrary 
PHP code
by e.g. setting to .php the file extension for the system log file.

3) When handling the "PasswordManager" action within the 
"Administration" module the
application allows to inject arbitrary settings into the 
'config_override.php' file.
This can be exploited by malicious users to inject and execute arbitrary 
PHP code
by e.g. setting to .php the file extension for the system log file. 
Successful
exploitation of this vulnerability requires a System Administrator 
account.

4) When handling the "saveadminwizard" action within the "Configurator" 
module the
application allows to inject arbitrary settings into the 
'config_override.php' file.
This can be exploited by malicious users to inject and execute arbitrary 
PHP code by
e.g. setting to .php the file extension for the system log file. 
Successful
exploitation of this vulnerability requires a System Administrator 
account.

5) When handling the "trackersettings" action within the "Trackers" 
module the
application allows to inject arbitrary settings into the 
'config_override.php' file.
This can be exploited by malicious users to inject and execute arbitrary 
PHP code by
e.g. setting to .php the file extension for the system log file.

6) When handling the "updatewirelessenabledmodules" action within the 
"Administration"
module the application allows to inject arbitrary settings into the 
'config_override.php'
file. This can be exploited by malicious users to inject and execute 
arbitrary PHP code
by e.g. setting to .php the file extension for the system log file. 
Successful
exploitation of this vulnerability requires a System Administrator 
account.


[-] Solution:

Upgrade to version 9.0.2, 8.0.4, or later.


[-] Disclosure Timeline:

[07/02/2019] - Vendor notified
[01/10/2019] - Versions 9.0.2 and 8.0.4 released
[10/10/2019] - Publication of this advisory


[-] Credits:

Vulnerabilities discovered by Egidio Romano.


[-] Original Advisory:

http://karmainsecurity.com/KIS-2019-07


[-] Other References:

https://support.sugarcrm.com/Documentation/Sugar_Versions/9.0/Ent/Sugar_9.0.2_Release_Notes