Share
---------------------------------------------------------  
SugarCRM <= 9.0.1 Multiple Path Traversal Vulnerabilities  
---------------------------------------------------------  
  
  
[-] Software Link:  
  
https://www.sugarcrm.com  
  
  
[-] Affected Versions:  
  
Version 9.0.1 and prior versions, 8.0.3 and prior versions.  
  
  
[-] Vulnerabilities Description:  
  
1) User input passed to the "/Mail/attachment" REST API endpoint is not   
properly  
sanitized before being used to delete a file from the system. This can   
be exploited  
by malicious users to delete arbitrary files via Path Traversal attacks.   
Please  
note this vulnerability could be exploited to delete the 'config.php'   
file and  
re-install the application, potentially leading to a full server   
compromise.  
  
2) User input passed through the "temp_id" parameter to the   
"/[module]/temp/file"  
REST API endpoint is not properly sanitized before being used to   
download/delete a  
file from the system. This can be exploited by malicious users to   
download and/or  
delete arbitrary files via Path Traversal attacks. Please note this   
vulnerability  
could be exploited to download and delete the 'config.php' file and   
re-install  
the application, potentially leading to a full server compromise.  
  
3) User input passed through the "dropdown_lang" parameter when handling   
the "wizard"  
action within the "Studio" module is not properly sanitized before being   
used in a  
call to the include() PHP function. This can be exploited by malicious   
users to upload  
and execute arbitrary PHP code via Path Traversal attacks. Successful   
exploitation  
of this vulnerability requires an user account with Developer access to   
any module.  
  
4) User input passed through the "filename" parameter when handling the   
"deleteFont"  
action within the "Configurator" module is not properly sanitized before   
being used  
to delete a file from the system. This can be exploited by malicious   
users to delete  
arbitrary files. Please note this vulnerability could be exploited to   
delete the  
'config.php' file and re-install the application, potentially leading to   
a full  
server compromise. Successful exploitation of this vulnerability   
requires a  
System Administrator account.  
  
  
[-] Solution:  
  
Upgrade to version 9.0.2, 8.0.4, or later.  
  
  
[-] Disclosure Timeline:  
  
[07/02/2019] - Vendor notified  
[01/10/2019] - Versions 9.0.2 and 8.0.4 released  
[10/10/2019] - Publication of this advisory  
  
  
[-] Credits:  
  
Vulnerabilities discovered by Egidio Romano.  
  
  
[-] Original Advisory:  
  
http://karmainsecurity.com/KIS-2019-06  
  
  
[-] Other References:  
  
https://support.sugarcrm.com/Documentation/Sugar_Versions/9.0/Ent/Sugar_9.0.2_Release_Notes