[UNIX] SugarSales Multiple Vulnerabilities

From: SecuriTeam (support_at_securiteam.com)
Date: 12/28/04

  • Next message: SecuriTeam: "[UNIX] phpBB Attachment Mod Directory Traversal HTTP POST Injection" 
    To: list@securiteam.com
Date: 28 Dec 2004 17:07:49 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      SugarSales Multiple Vulnerabilities
    ------------------------------------------------------------------------

    SUMMARY

    Multiple vulnerabilities have been found in the open source customer
    relationship management software SugarSales (SugarCRM). These
    vulnerabilities are:

     - Full Path Disclosure
     - Install Script
     - File Inclusion/Remote Command Execution
     - SQL Injection

    Some of the vulnerabilities described in this advisory can only be
    exploited while logged into SugarSales, however some of them can be
    exploited to bypass the logon process.

    DETAILS

    Vulnerable Systems:
     * SugarSales versions up to 2.0.1c

    Immune Systems:
     * SugarSales version 2.0.1c or newer

    SQL Injection
    Scope:
    Due to insufficient input validation, an attacker can manipulate the SQL
    statements that are sent to the database. Two exploits exist for this flaw
    where one can be only used when logged into SugarSales, while the other
    one can be used to log into SugarSales. Both of these vulnerabilities have
    been fixed in version 2.0.1a.

    Login:
    An attacker can log into SugarSales using the username "admin' or 1=1 -- "
    (without the double quotes) and any password.

    Retrieving Data:
    Once logged in, an attacker can also perform SQL injection to retrieve
    data, using a request such as (to be considered one line):
    http://host/sugarcrm/index.php?action=DetailView&module=Opportunities&record=xxx' union select 1, 2, 3, 4, 5, 6, user_name, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, user_password from users limit 1, 1 --

    Of course as the attacker is already logged in, there is not much use in
    performing this SQL injection anyway. All modules seem to be affected.

    Full Path Disclosure:
    Scope:
    A lot of scripts show the full path if unexpected input is encountered.
    This allows an attacker to enumerate the system and locate the webroot.
    This flaw has not yet been fixed (as of version 2.0.1c).

    Example:
    http://host/Sugarcrm/phprint.php?jt=fe3e158b220567409e5d8976d34bcdae&module=
    &action=&record=&lang=de

    File Inclusion/Remote Command Execution
    Scope:
    Due to insufficient input validation of user input that is later used in
    include() or require() directives, an attacker is able to disclose
    arbitrary files by specifying their path in certain HTTP GET parameters.

    Two file inclusions can only be exploited while logged into SugarSales,
    however again there are numerous other file inclusion flaws that can be
    used to bypass the logon process without the knowledge of a username or
    password.

    As with all such file inclusion flaws, remote command execution is just
    the blink of an eye away. If the attacker is able to log in (e.g. as
    described above using SQL injection) and upload text files or find the
    webserver log file, he can gain a comfortable web-shell and take control
    over the server.

    Modules and Actions (only possible when logged in):
    http://host/Sugarcrm/index.php?module=/../../etc/hosts%00&action=EditView
    http://host/Sugarcrm/index.php?module=Calls%00&action=/../../etc/hosts%00

    Include files (possible to exploit when not logged in):
    http://host/sugarcrm/modules/Users/Login.php?theme=/../../../etc/hosts%00
    http://host/sugarcrm/modules/Calls/index.php?theme=/../../../etc/hosts%00

    These flaw can be found in numerous other files in the modules directory.

    Neither of the two flaws have been fixed as of version 2.0.1c.

    Install Scripts
    Scope:
    After a successful installation of SugarSales, the install script files
    are not removed or locked, unless they are manually deleted by the
    administrator of the site. An attacker can use the install scripts to
    perform a denial of service attack by dropping the tables and replacing
    them with the default ones. However more importantly, the MySQL password
    can be found in plain text in one of the install script forms.

    Counter Measures:
    Until a fix is available, set the following parameters in php.ini:
    register_globals = Off
    magic_quotes = On

    Manually delete the /install directory.

    Disclosure Timeline:
    Nov. 17: Notified vendor
    Nov. 22: Vendor reply
    Nov. 24: Release of 2.0.1a, which fixes only SQL Injection
    Nov. 25: Notification to vendor that not all vulnerabilities were fixed by
    the patch
    Nov. 28: Supplied vendor with a patch for the file inclusion flaws
    Dec. 08: Release of 2.0.1c which still does not fix file inclusion flaws
    Dec. 13: Disclosure of the vulnerabilities

    Vendor Status:
    The vendor has been notified and fixed some of the vulnerabilities we have
    reported in version 2.0.1a. Even though we supplied them with an patch for
    the other vulnerabilities, the patch has been neither applied to version
    2.0.1b nor 2.0.1c. As a result, we are now posting the advisory.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:research@sec-consult.com>
    Daniel Fabian.
    The original article can be found at:
    <http://www.gulftech.org/?node=research&article_id=00053-120104>
    http://www.gulftech.org/?node=research&article_id=00053-120104

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[UNIX] phpBB Attachment Mod Directory Traversal HTTP POST Injection"

    Relevant Pages