SugarCRM <= 6.5.18 (SAML Authentication) XML External Entity Vulnerability
• Software Link:
• Affected Versions:
Version 6.5.18 CE and prior versions.
• Vulnerability Description:
The vulnerable code is located in the constructor method of the SamlResponse class:
function __construct($settings, $assertion) { $this->settings = $settings; $this->assertion = base64_decode($assertion); $this->xml = new DOMDocument(); $this->xml->loadXML($this->assertion); }
Which is being called by the authenticateUser method of the SAMLAuthenticateUser class:
$samlresponse = new SamlResponse($settings, $_POST['SAMLResponse']);
User input passed through the “SAMLResponse” POST parameter isn’t properly sanitized before being used in a call
to the “DOMDocument::loadXML()” method, and there are no calls to the “libxml_disable_entity_loader()” function.
This can be exploited by unauthenticated attackers to carry out XML External Entity (XXE) attacks. Successful
exploitation of this vulnerability requires SAML authentication to be enabled (disabled by default).
• Solution:
Update to version 6.5.19 CE or higher.
• Disclosure Timeline:
[15/10/2014] – Vendor notified
[18/10/2014] – Vendor acknowledgement
[15/12/2014] – Version 6.5.19 CE released: https://goo.gl/jucc0C
[29/04/2015] – CVE number requested
[23/06/2016] – Public disclosure
• CVE Reference:
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has not assigned a CVE identifier for this vulnerability.
• Credits:
Vulnerability discovered by Egidio Romano.