SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   SugarSales (SugarCRM) Vendors:   SugarCRM Inc.
SugarSales Input Validation Bugs Let Remote Users View Files, Inject SQL Commands, and Determine the Installation Path
SecurityTracker Alert ID:  1012490
SecurityTracker URL:  http://securitytracker.com/id/1012490
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Dec 13 2004
Impact:   Denial of service via network, Disclosure of system information, Disclosure of user information, Modification of user information
Exploit Included:  Yes  
Version(s): 2.0.1c and prior versions
Description:   Several vulnerabilities were reported in in SugarSales. A remote user can view files on the target system. A remote user can also inject SQL commands and determine the installation path.

Daniel Fabian of SEC Consult reported that a remote user can supply specially crafted parameters to view the contents of files on the target system with the privileges of the target web service. Some demonstration exploit URLs [the first two of which require authentication] are provided:

http://[target]/Sugarcrm/index.php?module=/../../etc/hosts%00&action=EditView
http://[target]/Sugarcrm/index.php?module=Calls%00&action=/../../etc/hosts%00
http://[target]/sugarcrm/modules/Users/Login.php?theme=/../../../etc/hosts%00
http://[target]/sugarcrm/modules/Calls/index.php?theme=/../../../etc/hosts%00

Other files in the 'modules' directory are affected.

It is also reported that the software does not remove or restrict access to the install script files after installation. A remote user can invoke some of these install scripts to cause denial of service conditions or to determine the MySQL password.

It is also reported that a remote user can inject SQL commands to be executed by the underlying database [these flaws were fixed in version 2.0.1a]. As an example, a remote user can authenticate with the following username:

admin' or 1=1 --

Finally, it is reported that a remote user can invoke certain scripts to cause the system to display the full installation path. A demonstration exploit URL is provided:

http://[target]/Sugarcrm/phprint.php?jt=fe3e158b220567409e5d8976d34bcdae
&module=&action=&record=&lang=de

The vendor was notified on November 17, 2004.

Impact:   A remote user can view files on the target system with the privileges of the target web service.

A remote user can inject SQL commands to be executed by the underlying database.

A remote user can determine the installation path.

Solution:   No vendor solution was available at the time of this entry.

The author of the report indicates that as a workaround, you can manually delete the '/install' directory and also set the following parameters in the 'php.ini' file:

register_globals = Off
magic_quotes = On

Vendor URL:  www.sugarcrm.com/ (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [Full-Disclosure] SugarSales Multiple Vulnerabilities


-------------------------------------------------------------------------
|                    SugarSales Multiple Vulnerabilities                |
-------------------------------------------------------------------------

Date: 12-11-2004
Author: Daniel Fabian
Product: SugarSales (formerly SugarCRM)
Affected Version:  up to 2.0.1c
Vendor: SugarCRM (http://www.sugarcrm.com)
Vendor-Status: vendor contacted


~~~~~~~~
Synopsis
~~~~~~~~~~~~~~~~~~~~~~~~

Multiple Vulnerabilities have been found in the open source customer
relationship management software SugarSales. These vulnerabilities are:

- Full Path Disclosure
- Install Script
- File Inclusion/Remote Command Execution
- SQL Injection

Some of the vulnerabilities described in this advisory can only be
exploited while logged into SugarSales, however there are also numerious
flaws that can be exploited by a bypasser without the knowledge of a
username or password.


~~~~~~~~
References
~~~~~~~~~~~~~~~~~~~~~~~~

A subset of the vulnerabilities described in this advisory has already
been independendly discovered by James Bercegay and Damon Wood of the
GulfTech Security Research Team. Their advisory can be found at
http://www.gulftech.org/?node=research&article_id=00053-120104.
As they have been first to post some of these flaws, all credits for those
vulnerabilities go to them. It's a first come first serve world. However
as there are some more flaws - most of which can be exploited while not
logged into SugarSales - we post our advisory in addition.


~~~~~~~~
Vendor Status
~~~~~~~~~~~~~~~~~~~~~~~~

The vendor has been notified and fixed some of the vulnerabilities we
have reported in version 2.0.1a. Even though we supplied them with an
patch for the other vulnerablities, the patch has been neither applied
to version 2.0.1b nor 2.0.1c. As a result, we are now posting the
advisory.


~~~~~~~~
Vulnerabilities
~~~~~~~~~~~~~~~~~~~~~~~~

SQL Injection
-------------

Scope:
Due to insufficient input validation, an attacker can manipulate the
SQL statements that are sent to the database. Two exploits exist for
this flaw where one can be only used when logged into SugarSales,
however the other one can be used to log into SugarSales.
Both of these vulnerabilities have been fixed in version 2.0.1a.

Login:
An attacker can log into Sugarsales using the username "admin' or 1=1
 -- " (without the double quotes) and any password.

Retrieving Data:
Once logged in, an attacker can also perform SQL injection to retrieve
data, using a request such as (to be considered one line):
http://host/sugarcrm/index.php?action=DetailView&module=Opportunities&
record=xxx'+union+select+1,2,3,4,5,6,user_name,8,9,10,11,12,13,14,15,16,
17,user_password+from+users+limit+1,1+--+

Of course as the attacker is already logged in, there is not much use in
performing this SQL injection anyway. All modules seem to be affected.


Full Path Disclosure
--------------------

Scope:
A lot of scripts show the full path if unexpected input is encountered.
This allows an attacker to enumerate the system and locate the webroot.
This flaw has not yet been fixed (as of version 2.0.1c).


Example:
http://host/Sugarcrm/phprint.php?jt=fe3e158b220567409e5d8976d34bcdae
&module=&action=&record=&lang=de



File Inclusion/Remote Command Execution
---------------------------------------

Scope:
Due to insufficient input validation of user input that is used in
include() or require() directives, an attacker is able to disclose
arbitrary files by specifying their path in certain HTTP GET parameters.
Two file inclusions can only be exploited while logged into SugarSales,
however again there are numerious other file inclusion flaws that can be
used by a bypasser without knowledge of a username or password. As with
all such file inclusion flaws, remote command execution is just the blink
of an eye away. If the attacker is able to log in (eg. as described above
using SQL injection) and upload text files or find the webserver log file,
he can gain a comfortable web-shell and take control over the server.

Modules and Actions (only possible when logged in):
http://host/Sugarcrm/index.php?module=/../../etc/hosts%00&action=EditView
http://host/Sugarcrm/index.php?module=Calls%00&action=/../../etc/hosts%00

Include files (possible to exploit when not logged in):
http://host/sugarcrm/modules/Users/Login.php?theme=/../../../etc/hosts%00
http://host/sugarcrm/modules/Calls/index.php?theme=/../../../etc/hosts%00
This flaw can be found in numerious other files in the modules directory.

Neither of the two flaws has been fixed as of version 2.0.1c.


Install Scripts
---------------

Scope:
After a successful installation of SugarSales, the install script files
are not removed or locked, unless manually deleted by the administrator
of the site. An attacker can use the install scripts to perform a denial
of service attack by dropping the tables and replacing them with the
default ones. However more importantly, the MySQL password can be found
in plaintext on one of the install script forms.


~~~~~~~~
Counter Measures
~~~~~~~~~~~~~~~~~~~~~~~~

Until a fix is available, set the following parameters in php.ini:
register_globals = Off
magic_quotes = On

Manually delete the /install directory.


~~~~~~~~
Timeline
~~~~~~~~~~~~~~~~~~~~~~~~

Nov. 17: Notified vendor
Nov. 22: Vendor reply
Nov. 24: Release of 2.0.1a, which fixes only SQL Injection
Nov. 25: Notification to vendor that not all vulnerabilities were fixed
         by the patch.
Nov. 28: Supplied vendor with a patch for the file inclusion flaws
Dec. 08: Release of 2.0.1c which still does not fix file inclusion flaws
Dec. 13: Disclosure of the vulnerabilities

~~~~~~~~
Contact
~~~~~~~~~~~~~~~~~~~~~~~~


SEC Consult Unternehmensberatung GmbH

Blindengasse 3
A-1080 Wien
Austria

Tel.: +43 / 1 / 409 0307 - 570
Fax.: +43 / 1 / 409 0307 - 590
Mail: office at sec-consult dot com
http://www.sec-consult.com



EOF Daniel Fabian / @2004
d.fabian at sec-consult dot com



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC