SugarCRM <= 9.0.1 Multiple PHP Code Injection Vulnerabilities

https://www.sugarcrm.com

• Affected Versions:

Version 9.0.1 and prior versions, 8.0.3 and prior versions.

• Vulnerabilities Description:

  1. When handling the “Locale” action within the “Administration” module the application allows to inject arbitrary settings into the config_override.php file. This can be exploited by malicious users to inject and execute arbitrary PHP code by e.g. setting to .php the file extension for the system log file. Successful exploitation of this vulnerability requires a System Administrator account.

  2. When handling the “SaveRelationship” action within the “ModuleBuilder” module the application allows to inject arbitrary settings into the config_override.php file. This can be exploited by malicious users to inject and execute arbitrary PHP code by e.g. setting to .php the file extension for the system log file.

  3. When handling the “PasswordManager” action within the “Administration” module the application allows to inject arbitrary settings into the config_override.php file. This can be exploited by malicious users to inject and execute arbitrary PHP code by e.g. setting to .php the file extension for the system log file. Successful exploitation of this vulnerability requires a System Administrator account.

  4. When handling the “saveadminwizard” action within the “Configurator” module the application allows to inject arbitrary settings into the config_override.php file. This can be exploited by malicious users to inject and execute arbitrary PHP code by e.g. setting to .php the file extension for the system log file. Successful exploitation of this vulnerability requires a System Administrator account.

  5. When handling the “trackersettings” action within the “Trackers” module the application allows to inject arbitrary settings into the config_override.php file. This can be exploited by malicious users to inject and execute arbitrary PHP code by e.g. setting to .php the file extension for the system log file.

  6. When handling the “updatewirelessenabledmodules” action within the “Administration” module the application allows to inject arbitrary settings into the config_override.php file. This can be exploited by malicious users to inject and execute arbitrary PHP code by e.g. setting to .php the file extension for the system log file. Successful exploitation of this vulnerability requires a System Administrator account.

• Solution:

Upgrade to version 9.0.2, 8.0.4, or later.

• Disclosure Timeline:

[07/02/2019] – Vendor notified

[01/10/2019] – Versions 9.0.2 and 8.0.4 released

[10/10/2019] – Publication of this advisory

• Credits:

Vulnerabilities discovered by Egidio Romano.

• Other References:

https://support.sugarcrm.com/Documentation/Sugar_Versions/9.0/Ent/Sugar_9.0.2_Release_Notes