SugarCRM <= 6.5.18 (SAML Authentication) XML External Entity Vulnerability

• Software Link:

http://www.sugarcrm.com

• Affected Versions:

Version 6.5.18 CE and prior versions.

• Vulnerability Description:

The vulnerable code is located in the constructor method of the SamlResponse class:

63function __construct($settings, $assertion) {
64  $this->settings = $settings;
65  $this->assertion = base64_decode($assertion);
66  $this->xml = new DOMDocument();
67  $this->xml->loadXML($this->assertion);
68}

Which is being called by the authenticateUser method of the SAMLAuthenticateUser class:

75$samlresponse = new SamlResponse($settings, $_POST['SAMLResponse']);

User input passed through the “SAMLResponse” POST parameter isn’t properly sanitized before being used in a call to the DOMDocument::loadXML() method, and there are no calls to the libxml_disable_entity_loader() function. This can be exploited by unauthenticated attackers to carry out XML External Entity (XXE) attacks. Successful exploitation of this vulnerability requires SAML authentication to be enabled (disabled by default).

• Solution:

Update to version 6.5.19 CE or higher.

• Disclosure Timeline:

[15/10/2014] – Vendor notified

[18/10/2014] – Vendor acknowledgement

[15/12/2014] – Version 6.5.19 CE released: https://goo.gl/jucc0C

[29/04/2015] – CVE number requested

[23/06/2016] – Public disclosure

• CVE Reference:

The Common Vulnerabilities and Exposures project (cve.mitre.org) has not assigned a CVE identifier for this vulnerability.

• Credits:

Vulnerability discovered by Egidio Romano.