exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

SugarCRM 5.2.0e Code Execution

SugarCRM 5.2.0e Code Execution
Posted Jun 15, 2009
Authored by Francesco Ongaro, Antonio Parata, Giovanni Pellerano | Site ush.it

SugarCRM versions 5.2.0e and below suffer from a remote code execution vulnerability.

tags | exploit, remote, code execution
SHA-256 | b46bbb1752deb1c9295ffea5807d2e474bb3c4c6de135549995c2c9d75270085

SugarCRM 5.2.0e Code Execution

Change Mirror Download
SugarCRM 5.2.0e Remote Code Execution

Name Remote Code Execution in SugarCRM
Systems Affected Sugar CRM 5.2.0e and possibly earlier versions
Severity High
Impact (CVSSv2) High 8/10, vector: (AV:N/AC:L/Au:S/C:P/I:C/A:P)
Vendor http://www.sugarcrm.com
Advisory http://www.ush.it/team/ush/hack-sugarcrm_520e/adv.txt
Authors Antonio "s4tan" Parata (s4tan AT ush DOT it)
Francesco "ascii" Ongaro (ascii AT ush DOT it)
Giovanni "evilaliv3" Pellerano (evilaliv3 AT ush DOT it)
Date 20090613


>From the SugarCRM web site: "Sugar Express is designed for individuals
and small companies. Core CRM features help employees get on the same
page while more complex functionality is stripped away. Sugar Express is
ideal for providing a single view of the customer from the initial
marketing campaign through the sales cycle and on to customer support.
With Sugar Express, companies have a single system of truth for managing
customer interactions.".


A Remote Code Execution Vulnerability exists in SugarCRM software.



A Remote Code Execution issue has been found in SugarCRM version
5.2.0e. In order to exploit this vulnerability an account on the system
is required.

The vulnerability resides in the "Compose Email" section. The software
permits sending email with attachments (if not disabled by the
administrator). When the name of the file is specified, a validation
routine is called:


function safeAttachmentName($filename) {
global $sugar_config;
$badExtension = false;
//get position of last "." in file name
$file_ext_beg = strrpos($filename, ".");
$file_ext = "";
//get file extension
if($file_ext_beg > 0) {
$file_ext = substr($filename, $file_ext_beg + 1);
//check to see if this is a file with extension located in "badext"
foreach($sugar_config['upload_badext'] as $badExt) {
if(strtolower($file_ext) == strtolower($badExt)) {
//if found, then append with .txt and break out of lookup
$filename = $filename . ".txt";
$badExtension = true;
break; // no need to look for more
} // if
} // foreach
return $badExtension;


This routine checks if the extension of the filename is blacklisted,
if so the ".txt" extension is appended to the filename. However there is
a coding error: the function assumes that the filename (extension
excluded) is at least one char long, this assumption is derived from the


if($file_ext_beg > 0)


Of course this is a bad assumption, if we set the whole filename to
".php" than the check is skipped and a void extension is assumed.
Because void extensions are not in the blacklist, no futher extension
is added to the filename. After this check a file is created on the
filesystem in the form "<id><filename>".

Where "id" is an alphanumeric string. With the trick illustrated we are
able to create a file with ".php" extension. To do this upload a new
file attachment and set the filename to ".php".

After this the attacker has to find the name of the file that was
uploaded in the attachment list files. To obtaint the real filename
look in the HTML response for a string like:


<input value="6e25aba0-9dc4-2a57-8bae-4a1317b35d47.php" name="email_atta
chment0" id="email_attachment10" type="hidden">


The real filename in this case is "6e25aba0-9dc4-2a57-8bae-4a1317b35d47.
php". Now the attacker has to find the directory where the file resides.

Again searching the HTML page for the attribute "assigned_user_id"
reveals the needed information:


<a href="index.php?module=Emails&action=ListView&assigned_user_id=abf7c7


At this point the attacker has all the informations to invoke the
uploaded file.

Filename: 6e25aba0-9dc4-2a57-8bae-4a1317b35d47.php
Assigned user id: abf7c77b-2f71-8071-63ba-4a131068e9a2

To directly request it issue a request to:




As final note: if the user is "administrator", "assigned_user_id" is
always "1".


SugarCRM 5.2.0e and possibly earlier versions are vulnerable.


Upgrade to latest version 5.2.0f


"We have fixed the issue and will be shipping the patch on June 12th.
We will be doing a full pass of quality assurance in this area to
ensure that no other issues crop up around file uploads.
The fix involves modifying the code that handles uploads for email
attachments to save the files using just a GUID rather than the original
file name. This is similar to how uploads are handled else where in the
application and should prevent the code from being executable on the
server side."


No CVE at this time.


20090519 Bug discovered
20090528 First vendor contact
20090528 Vendor Response
20090530 Vendor Confirm the vulnerability
20090602 Vendor propose a possible fix and path release
20090612 Vendor released SugarCRM 5.2.0f (Vulnerability fixed)
20090613 Advisory released


Antonio "s4tan" Parata, Francesco "ascii" Ongaro and Giovanni
"evilaliv3" Pellerano are credited with the discovery of this

Antonio "s4tan" Parata
web site: http://www.ush.it/
mail: s4tan AT ush DOT it

Francesco "ascii" Ongaro
web site: http://www.ush.it/
mail: ascii AT ush DOT it

Giovanni "evilaliv3" Pellerano
web site: http://www.ush.it/, http://www.evilaliv3.org/
mail: evilaliv3 AT ush DOT it


Copyright (c) 2009 Francesco "ascii" Ongaro

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without mine express
written consent. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please email me for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
Login or Register to add favorites

File Archive:

September 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    23 Files
  • 2
    Sep 2nd
    12 Files
  • 3
    Sep 3rd
    0 Files
  • 4
    Sep 4th
    0 Files
  • 5
    Sep 5th
    10 Files
  • 6
    Sep 6th
    8 Files
  • 7
    Sep 7th
    30 Files
  • 8
    Sep 8th
    14 Files
  • 9
    Sep 9th
    26 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    0 Files
  • 12
    Sep 12th
    5 Files
  • 13
    Sep 13th
    28 Files
  • 14
    Sep 14th
    15 Files
  • 15
    Sep 15th
    17 Files
  • 16
    Sep 16th
    9 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    12 Files
  • 20
    Sep 20th
    15 Files
  • 21
    Sep 21st
    20 Files
  • 22
    Sep 22nd
    13 Files
  • 23
    Sep 23rd
    12 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    30 Files
  • 27
    Sep 27th
    27 Files
  • 28
    Sep 28th
    8 Files
  • 29
    Sep 29th
    14 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By