Menu

Search for hundreds of thousands of exploits

"SugarCRM Community Edition 4.5.1/5.0.0 - File Disclosure"

Author

Exploit author

"Roberto Suggi Liverani"

Platform

Exploit platform

php

Release date

Exploit published date

2008-04-29

Download file

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
Name                          SugarCRM – Local File Disclosure
SugarCRM                      http://www.sugarcrm.com/docs/Release_Notes/OpenSource_ReleaseNotes_4.5.1j/
Advisories                    Sugar_Release_Notes_4.5.1j.2.6.html (Bug 20522)
                              http://dl.sugarforge.org/sugarcrm/SugarCE5.0Latest/SugarCE5.0.0/
                              Sugar_CommunityEdition_ReleaseNotes_5.0c.pdf (Bug 20342)
Date Released                 4.5.1j in March 24, 2008 and 5.0.0c in April 4, 2008
Affected Software             SugarCRM - Community Edition Version 5.0.0
                              SugarCRM – Community Edition Version 4.5.1
Researcher                    Roberto Suggi Liverani roberto.suggi@security-assessment.com

Description
SugarCRM Community Edition is vulnerable to local file contents disclosure. This 
vulnerability can be exploited by a malicious user to disclose potentially sensitive 
information. The flaw is caused due to a lack of input filtering in the SugarCRM RSS 
module, which can be exploited to disclose the content of local files.
The RSS module allows SugarCRM users to add RSS feeds to their personal RSS list. The application expects an
URL value pointing to a valid RSS feed. However, the URL variable value is not properly sanitised and any URI
value can be entered instead. In this particular case, it was discovered that it is possible to enter a file path to
any files on the local system hosting the SugarCRM application.
As a result SugarCRM does not display the new RSS feed in the list as it is not a valid RSS URL Feed. However,
the application creates a local file with the filename of the md5 hash of the URL entered. The file is created in
the directory cache/feeds . If the Apache web server is used, the file is created with the user www-data
containing read permission.

Exploitation
An exploitation example in a LAMP (Linux, Apache, Mysql, PHP) environment:
If an authenticated attacker enters a value of âœ/etc/passwd” (without quotes) in the RSS URL field, the
application will generate a MD5 hash of the string containing the file path. In this case, the value âœ/etc/passwd”
is hashed to âœc5068b7c2b1707f8939b283a2758a691” (without quotes). The MD5 hash is then used as a
filename with the file contents of /etc/passwd. The file /etc/passwd can then be viewable publicly at
http://sugarwebsiteaddress/cache/feeds/c5068b7c2b1707f8939b283a2758a691 .

Exploitation of this flaw does not require authentication.
The URL variable is handled by the /modules/Feeds/Feed.php page. The array variable $url is passed without
filtering to the xml_domit_rss_document function at the following line:
$rssdoc = new xml_domit_rss_document ($this->url, ‘cache/feeds/’, 3600);
The XML domit RSS plugin is then called and retrieves the file content at the path given and then generate the
MD5 hashed file in the cache/feeds folder as instructed by the function in Feed.php .

Solution
Install the vendor supplied patches.
Patch 4.5.1j: http://www.sugarcrm.com/forums/showthread.php?t=31688
Patch 5.0.0c: http://www.sugarcrm.com/forums/showthread.php?t=32252

About Security-Assessment.com
Security-Assessment.com is Australasia’s leading team of Information Security consultants specialising in
providing high quality Information Security services to clients throughout the Asia Pacific region. Our clients
include some of the largest globally recognised companies in areas such as finance, telecommunications,
broadcasting, legal and government. Our aim is to provide the very best independent advice and a high level of
technical expertise while creating long and lasting professional relationships with our clients.
Security-Assessment.com is committed to security research and development, and its team continues to identify
and responsibly publish vulnerabilities in public and private software vendor's products. Members of the
Security-Assessment.com R&D team are globally recognised through their release of whitepapers and
presentations related to new security research.

For further information on this issue or any of our service offerings, contact us
Web     www.security-assessment.com
Email   info@security-assessment.com
Phone   +649 302 5093

# milw0rm.com [2008-04-29]
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-12-02 "WonderCMS 3.1.3 - 'Menu' Persistent Cross-Site Scripting" webapps php "Hemant Patidar"
2020-12-02 "WordPress Plugin Wp-FileManager 6.8 - RCE" webapps php "Mansoor R"
2020-12-02 "WonderCMS 3.1.3 - Authenticated SSRF to Remote Remote Code Execution" webapps php zetc0de
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - Password Reset leading to Account Takeover" webapps php "Mufaddal Masalawala"
2020-12-02 "Simple College Website 1.0 - 'page' Local File Inclusion" webapps php Mosaaed
2020-12-02 "Car Rental Management System 1.0 - SQL Injection / Local File include" webapps php Mosaaed
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Pharmacy Store Management System 1.0 - 'id' SQL Injection" webapps php "Aydın Baran Ertemir"
2020-12-02 "WonderCMS 3.1.3 - Authenticated Remote Code Execution" webapps php zetc0de
2020-12-01 "Multi Restaurant Table Reservation System 1.0 - Multiple Persistent XSS" webapps php yunaranyancat
Release Date Title Type Platform Author
2015-04-02 "Kemp Load Master 7.1.16 - Multiple Vulnerabilities" webapps multiple "Roberto Suggi Liverani"
2012-04-22 "Oracle GlassFish Server - REST Cross-Site Request Forgery" webapps windows "Roberto Suggi Liverani"
2012-04-22 "Oracle GlassFish Server 3.1.1 (build 12) - Multiple Cross-Site Scripting Vulnerabilities" webapps windows "Roberto Suggi Liverani"
2011-10-21 "Opera 11.51 - Use-After-Free Crash (PoC)" dos windows "Roberto Suggi Liverani"
2011-08-11 "Adobe RoboHelp 9 - DOM Cross-Site Scripting" webapps cgi "Roberto Suggi Liverani"
2011-03-11 "Oracle WebLogic - POST Session Fixation" webapps multiple "Roberto Suggi Liverani"
2010-10-20 "Oracle Sun Java System Web Server - HTTP Response Splitting" webapps jsp "Roberto Suggi Liverani"
2010-10-20 "Oracle JRE - java.net.URLConnection class Same-of-Origin 'SOP' Policy Bypass" remote windows "Roberto Suggi Liverani"
2010-02-22 "Adobe (Multiple Products) - XML External Entity / XML Injection" dos multiple "Roberto Suggi Liverani"
2008-10-22 "Opera 9.60 - Persistent Cross-Site Scripting" remote windows "Roberto Suggi Liverani"
2008-04-29 "SugarCRM Community Edition 4.5.1/5.0.0 - File Disclosure" webapps php "Roberto Suggi Liverani" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected