Share
----------------------------------------------------------------  
SugarCRM <= 9.0.1 Multiple Broken Access Control Vulnerabilities  
----------------------------------------------------------------  
  
  
[-] Software Link:  
  
https://www.sugarcrm.com  
  
  
[-] Affected Versions:  
  
Version 9.0.1 and prior versions, 8.0.3 and prior versions.  
  
  
[-] Vulnerabilities Description:  
  
1) There is a Broken Access Control vulnerability with regards to the   
"InboundEmail" module.  
When handling the "Save" action the application fails to properly check   
whether the user has  
Admin access to the module, thus allowing any user to create a new   
"InboundEmail" bean  
regardless of their roles/permissions.  
  
2) There is a Broken Access Control vulnerability with regards to the   
"Trackers" module.  
When handling the "trackersettings" action the application fails to   
properly check whether  
the user has Admin access to the module, thus allowing any user to   
change Trackers'  
settings regardless of their roles/permissions  
  
3) There is a Broken Access Control vulnerability with regards to the   
"Campaigns" module.  
When handling the "WizardEmailSetupSave" action the application fails to   
properly check  
whether the user has Admin access to the module, thus allowing any user   
to change Email  
Setup for Campaigns regardless of their roles/permissions.  
  
4) There is a Broken Access Control vulnerability with regards to the   
"ModuleBuilder" module.  
When the "view_module" parameter is set to an empty string, the   
application fails to properly  
check whether the user has permissions to access the module, thus   
allowing any user to access  
certain ModuleBuilder actions regardless of their roles.  
  
5) There is a Broken Access Control vulnerability with regards to the   
"Administration"  
module. When handling the "SaveMerge" action within the "MergeRecords"   
module the application  
fails to properly check whether the user is a System Administrator, thus   
allowing unauthorized  
users to inject arbitrary "Administration" beans (which means arbitrary   
values into the  
"config" database table). Successful exploitation of this vulnerability   
requires an user  
account with Developer access to any module.  
  
6) There is a Broken Access Control vulnerability with regards to the   
"Administration" module.  
When handling the "Save" action within the "EmailMan" module the   
application allows unauthorized  
users to modify administration settings by invoking the   
"Administration::saveConfig()" method.  
Successful exploitation of this vulnerability requires an user account   
with Developer access  
to the Emails or Campaigns modules.  
  
7) There is a Broken Access Control vulnerability with regards to the   
"Administration" module.  
When handling the "WizardEmailSetupSave" action within the "Campaigns"   
module the application  
allows unauthorized users to modify administration settings by invoking   
the  
"Administration::saveConfig()" method.  
  
8) There is a Local File Inclusion vulnerability within the   
"add_to_prospect_list" function.  
User input passed through the "parent_module" and "parent_type"   
parameters is not properly  
sanitized before being used in a call to the include() function. This   
can be exploited to  
include arbitrary .php files within the webroot and potentially bypass   
authorization mechanisms  
(for instance, by setting the "parent_module" parameter to   
"Administration" and the "parent_type"  
parameter to "expandDatabase" or any other action which does not   
implement ACL checks).  
  
  
[-] Solution:  
  
Upgrade to version 9.0.2, 8.0.4, or later.  
  
  
[-] Disclosure Timeline:  
  
[07/02/2019] - Vendor notified  
[01/10/2019] - Versions 9.0.2 and 8.0.4 released  
[10/10/2019] - Publication of this advisory  
  
  
[-] Credits:  
  
Vulnerabilities discovered by Egidio Romano.  
  
  
[-] Original Advisory:  
  
http://karmainsecurity.com/KIS-2019-05  
  
  
[-] Other References:  
  
https://support.sugarcrm.com/Documentation/Sugar_Versions/9.0/Ent/Sugar_9.0.2_Release_Notes