Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[UNIX] SugarSales Multiple Vulnerabilities

from [SecuriTeam] Network Security [Permanent Link]
Subject: [UNIX] SugarSales Multiple Vulnerabilities
Date: 28 Dec 2004 17:07:49 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  SugarSales Multiple Vulnerabilities
------------------------------------------------------------------------


SUMMARY

Multiple vulnerabilities have been found in the open source customer 
relationship management software SugarSales (SugarCRM). These 
vulnerabilities are:

 - Full Path Disclosure
 - Install Script
 - File Inclusion/Remote Command Execution
 - SQL Injection

Some of the vulnerabilities described in this advisory can only be 
exploited while logged into SugarSales, however some of them can be 
exploited to bypass the logon process.

DETAILS

Vulnerable Systems:
 * SugarSales versions up to 2.0.1c

Immune Systems:
 * SugarSales version 2.0.1c or newer

SQL Injection
Scope:
Due to insufficient input validation, an attacker can manipulate the SQL 
statements that are sent to the database. Two exploits exist for this flaw 
where one can be only used when logged into SugarSales, while the other 
one can be used to log into SugarSales. Both of these vulnerabilities have 
been fixed in version 2.0.1a.

Login:
An attacker can log into SugarSales using the username "admin' or 1=1 -- " 
(without the double quotes) and any password.

Retrieving Data:
Once logged in, an attacker can also perform SQL injection to retrieve 
data, using a request such as (to be considered one line):
http://host/sugarcrm/index.php?action=DetailView&module=Opportunities&record=xxx'
 union select 1, 2, 3, 4, 5, 6, user_name, 8, 9, 10, 11, 12, 13, 14, 15, 16, 
17, user_password from users limit 1, 1 --

Of course as the attacker is already logged in, there is not much use in 
performing this SQL injection anyway. All modules seem to be affected.

Full Path Disclosure:
Scope:
A lot of scripts show the full path if unexpected input is encountered. 
This allows an attacker to enumerate the system and locate the webroot. 
This flaw has not yet been fixed (as of version 2.0.1c).

Example:
http://host/Sugarcrm/phprint.php?jt=fe3e158b220567409e5d8976d34bcdae&module=
&action=&record=&lang=de

File Inclusion/Remote Command Execution
Scope:
Due to insufficient input validation of user input that is later used in 
include() or require() directives, an attacker is able to disclose 
arbitrary files by specifying their path in certain HTTP GET parameters.

Two file inclusions can only be exploited while logged into SugarSales, 
however again there are numerous other file inclusion flaws that can be 
used to bypass the logon process without the knowledge of a username or 
password.

As with all such file inclusion flaws, remote command execution is just 
the blink of an eye away. If the attacker is able to log in (e.g. as 
described above using SQL injection) and upload text files or find the 
webserver log file, he can gain a comfortable web-shell and take control 
over the server.

Modules and Actions (only possible when logged in):
http://host/Sugarcrm/index.php?module=/../../etc/hosts%00&action=EditView
http://host/Sugarcrm/index.php?module=Calls%00&action=/../../etc/hosts%00

Include files (possible to exploit when not logged in):
http://host/sugarcrm/modules/Users/Login.php?theme=/../../../etc/hosts%00
http://host/sugarcrm/modules/Calls/index.php?theme=/../../../etc/hosts%00

These flaw can be found in numerous other files in the modules directory.

Neither of the two flaws have been fixed as of version 2.0.1c.

Install Scripts
Scope:
After a successful installation of SugarSales, the install script files 
are not removed or locked, unless they are manually deleted by the 
administrator of the site. An attacker can use the install scripts to 
perform a denial of service attack by dropping the tables and replacing 
them with the default ones. However more importantly, the MySQL password 
can be found in plain text in one of the install script forms.

Counter Measures:
Until a fix is available, set the following parameters in php.ini:
register_globals = Off
magic_quotes = On

Manually delete the /install directory.

Disclosure Timeline:
Nov. 17: Notified vendor
Nov. 22: Vendor reply
Nov. 24: Release of 2.0.1a, which fixes only SQL Injection
Nov. 25: Notification to vendor that not all vulnerabilities were fixed by 
the patch
Nov. 28: Supplied vendor with a patch for the file inclusion flaws
Dec. 08: Release of 2.0.1c which still does not fix file inclusion flaws
Dec. 13: Disclosure of the vulnerabilities

Vendor Status:
The vendor has been notified and fixed some of the vulnerabilities we have 
reported in version 2.0.1a. Even though we supplied them with an patch for 
the other vulnerabilities, the patch has been neither applied to version 
2.0.1b nor 2.0.1c. As a result, we are now posting the advisory.


ADDITIONAL INFORMATION

The information has been provided by  <mailto:research@sec-consult.com> 
Daniel Fabian.
The original article can be found at:  
<http://www.gulftech.org/?node=research&article_id=00053-120104> 
http://www.gulftech.org/?node=research&article_id=00053-120104



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [UNIX] SugarSales Multiple Vulnerabilities, SecuriTeam <=
Previous by Date:  [UNIX] Multiple Extensions Vulnerability in phpBB Attachment Mod, SecuriTeam
Next by Date:  [UNIX] phpBB Attachment Mod Directory Traversal HTTP POST Injection, SecuriTeam
Previous by Thread:  [UNIX] Multiple Extensions Vulnerability in phpBB Attachment Mod, SecuriTeam
Next by Thread:  [UNIX] phpBB Attachment Mod Directory Traversal HTTP POST Injection, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]