[UNIX] SugarCRM Community Edition Local File Disclosure Vulnerability
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 30 Apr 2008 13:04:43 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
SugarCRM Community Edition Local File Disclosure Vulnerability
------------------------------------------------------------------------
SUMMARY
SugarCRM Community Edition is vulnerable to local file contents disclosure
This vulnerability can be exploited by a malicious user to disclose
potentially sensitive information. The flaw is caused due to a lack of
input filtering in the SugarCRM RSS module, which can be exploited to
disclose the content of local files.
The RSS module allows SugarCRM users to add RSS feeds to their personal
RSS list. The application expects an URL value pointing to a valid RSS
feed. However, the URL variable value is not properly sanitised and any
URI value can be entered instead. In this particular case, it was
discovered that it is possible to enter a file path to any files on the
local system hosting the SugarCRM application.
As a result SugarCRM does not display the new RSS feed in the list as it
is not a valid RSS URL Feed. However, the application creates a local file
with the filename of the md5 hash of the URL entered. The file is created
in the directory cache/feeds . If the Apache web server is used, the file
is created with the user www-data containing read permission.
DETAILS
Vulnerable Systems:
* SugarCRM Community Edition version 4.5.1
* SugarCRM Community Edition version 5.0.0
Immune Systems:
* SugarCRM Community Edition version 4.5.1j
* SugarCRM Community Edition version 5.0.0c
Exploitation:
An exploitation example in a LAMP (Linux, Apache, Mysql, PHP)
environment:
If an authenticated attacker enters a value of /etc/passwd (without
quotes) in the RSS URL field, the application will generate a
MD5 hash of the string containing the file path. In this case, the value
/etc/passwd is hashed to c5068b7c2b1707f8939b283a2758a691 (without
quotes). The MD5 hash is then used as a filename with the file contents of
/etc/passwd. The file /etc/passwd can then be viewable publicly at
http://sugarwebsiteaddress/cache/feeds/c5068b7c2b1707f8939b283a2758a691 .
Exploitation of this flaw does not require authentication. The URL
variable is handled by the /modules/Feeds/Feed.php page. The array
variable $url is passed without filtering to the xml_domit_rss_document
function at the following line:
$rssdoc = new xml_domit_rss_document ($this->url, cache/feeds/ , 3600);
The XML domit RSS plugin is then called and retrieves the file content at
the path given and then generate the MD5 hashed file in the cache/feeds
folder as instructed by the function in Feed.php .
Solutions:
Install the vendor supplied patches.
Patch 4.5.1j: <http://www.sugarcrm.com/forums/showthread.php?t=31688>
http://www.sugarcrm.com/forums/showthread.php?t=31688
Patch 5.0.0c: <http://www.sugarcrm.com/forums/showthread.php?t=32252>
http://www.sugarcrm.com/forums/showthread.php?t=32252
ADDITIONAL INFORMATION
The information has been provided by
<mailto:roberto.suggi@xxxxxxxxxxxxxxxxxxxxxxx> Roberto Suggi.
The original article can be found at:
<http://www.security-assessment.com/files/advisories/2008-04-29_SugarCRM_
local_file_disclosure.pdf>
http://www.security-assessment.com/files/advisories/2008-04-29_SugarCRM_
local_file_disclosure.pdf
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [NT] Insufficient Argument Validation of Hooked SSDT Functions on Multiple Antivirus and Firewalls
- Next by Date: [NT] SNMPc TRAP Community Name Overflow
- Previous by thread: [NT] Insufficient Argument Validation of Hooked SSDT Functions on Multiple Antivirus and Firewalls
- Next by thread: [NT] SNMPc TRAP Community Name Overflow
- Index(es):
Relevant Pages
|
