egix@karmainsecurity ~ $

SugarCRM <= 9.0.1 Multiple SQL Injection Vulnerabilities

• Software Link:

https://www.sugarcrm.com

• Affected Versions:

Version 9.0.1 and prior versions, 8.0.3 and prior versions.

• Vulnerabilities Description:

  1. User input passed to the "/pmse_Inbox/changeCaseUser" REST API endpoint is not properly sanitized before being used to construct a SQL query. This can be exploited by malicious users to e.g. read sensitive data from the database through in-band SQL Injection attacks.

  2. User input passed to the "/pmse_Project/CrmData/activities" REST API endpoint is not properly sanitized before being used to construct a SQL query. This can be exploited by malicious users to e.g. read sensitive data from the database through in-band SQL Injection attacks.

  3. User input passed to the "/pmse_Project/CrmData/emails" REST API endpoint is not properly sanitized before being used to construct a SQL query. This can be exploited by malicious users to e.g. read sensitive data from the database through in-band SQL Injection attacks.

  4. User input passed to the "/pmse_Project/CrmData/emailtemplates" REST API endpoint is not properly sanitized before being used to construct a SQL query. This can be exploited by malicious users to e.g. read sensitive data from the database through in-band SQL Injection attacks.

  5. User input passed to the "/pmse_Project/CrmData/users" REST API endpoint is not properly sanitized before being used to construct a SQL query. This can be exploited by malicious users to e.g. read sensitive data from the database through in-band SQL Injection attacks.

  6. User input passed through the “pro_module” JSON parameter to the "/pmse_Project/CrmData/putData" REST API endpoint is not properly sanitized before being used to construct a SQL query. This can be exploited by malicious users to e.g. read sensitive data from the database through time-based Blind SQL Injection attacks.

  7. User input passed through the “cas_id” and “cas_index” parameters to the "/pmse_Project/CrmData/validateReclaimCase" REST API endpoint is not properly sanitized before being used to construct a SQL query. This can be exploited by malicious users to e.g. read sensitive data from the database through time-based Blind SQL Injection attacks.

  8. The vulnerability exists because the "/modules/Emails/Grab.php" script is using the “group_id” field of an “InboundEmail” bean to construct a SQL query without being properly sanitized, and such value can be arbitrarily manipulated through the MergeRecords module. This can be exploited by malicious users to e.g. read sensitive data from the database through boolean-based second-order SQL Injection attacks.

  9. The vulnerability exists because the "/[module]/export" REST API endpoint is using a value that can be arbitrarily manipulated through the "/[module]/record_list" endpoint to construct a SQL query without being properly sanitized. This can be exploited by malicious users to e.g. read sensitive data from the database through in-band second-order SQL Injection attacks.

  10. User input passed through the “order_by” parameter to the "/link/history" REST API endpoint is not properly sanitized before being used to construct a SQL query. This can be exploited by malicious users to e.g. read sensitive data from the database through time-based Blind SQL Injection attacks.

  11. The vulnerability exists because the PersonFormBase::checkForDuplicates() method is using certain POST parameters to construct a SQL query without being properly sanitized. This can be exploited by malicious users to e.g. read sensitive data from the database through time-based SQL Injection attacks.

  12. User input passed through the “act_name” JSON parameter to the "/pmse_Inbox" REST API endpoint is not properly sanitized before being used to construct a SQL query. This can be exploited by malicious users to e.g. read sensitive data from the database through time-based Blind SQL Injection attacks.

  13. User input passed to the "/pmse_Inbox/processUsersChart" REST API endpoint is not properly sanitized before being used to construct a SQL query. This can be exploited by malicious users to e.g. read sensitive data from the database through in-band SQL Injection attacks. Successful exploitation of this vulnerability requires an user account with Admin/Developer access to the “Processes” module.

  14. User input passed through the “deal_tot_discount_percentage” JSON parameter to the "/Quotes" REST API endpoint is not properly sanitized before being used to construct a SQL query. This can be exploited by malicious users to e.g. read sensitive data from the database through time-based Blind SQL Injection attacks.

  15. User input passed through the “q” parameter to the "/pmse_Inbox/unattendedCases" REST API endpoint is not properly sanitized before being used to construct a SQL query. This can be exploited by malicious users to e.g. read sensitive data from the database through in-band SQL Injection attacks. Successful exploitation of this vulnerability requires an user account with Admin/Developer access to the “Processes” module.

  16. User input passed to the "/pmse_Inbox/userListByTeam" REST API endpoint is not properly sanitized before being used to construct a SQL query. This can be exploited by malicious users to e.g. read sensitive data from the database through in-band SQL Injection attacks.

• Solution:

Upgrade to version 9.0.2, 8.0.4, or later.

• Disclosure Timeline:

[07/02/2019] – Vendor notified

[01/10/2019] – Versions 9.0.2 and 8.0.4 released

[10/10/2019] – Publication of this advisory

• Credits:

Vulnerabilities discovered by Egidio Romano.

• Other References:

https://support.sugarcrm.com/Documentation/Sugar_Versions/9.0/Ent/Sugar_9.0.2_Release_Notes