Share
-------------------------------------------------------------  
SugarCRM <= 9.0.1 Multiple PHP Code Injection Vulnerabilities  
-------------------------------------------------------------  
  
  
[-] Software Link:  
  
https://www.sugarcrm.com  
  
  
[-] Affected Versions:  
  
Version 9.0.1 and prior versions, 8.0.3 and prior versions.  
  
  
[-] Vulnerabilities Description:  
  
1) When handling the "Locale" action within the "Administration" module   
the application  
allows to inject arbitrary settings into the 'config_override.php' file.   
This can be  
exploited by malicious users to inject and execute arbitrary PHP code by   
e.g. setting  
to .php the file extension for the system log file. Successful   
exploitation of this  
vulnerability requires a System Administrator account.  
  
2) When handling the "SaveRelationship" action within the   
"ModuleBuilder" module the  
application allows to inject arbitrary settings into the   
'config_override.php' file.  
This can be exploited by malicious users to inject and execute arbitrary   
PHP code  
by e.g. setting to .php the file extension for the system log file.  
  
3) When handling the "PasswordManager" action within the   
"Administration" module the  
application allows to inject arbitrary settings into the   
'config_override.php' file.  
This can be exploited by malicious users to inject and execute arbitrary   
PHP code  
by e.g. setting to .php the file extension for the system log file.   
Successful  
exploitation of this vulnerability requires a System Administrator   
account.  
  
4) When handling the "saveadminwizard" action within the "Configurator"   
module the  
application allows to inject arbitrary settings into the   
'config_override.php' file.  
This can be exploited by malicious users to inject and execute arbitrary   
PHP code by  
e.g. setting to .php the file extension for the system log file.   
Successful  
exploitation of this vulnerability requires a System Administrator   
account.  
  
5) When handling the "trackersettings" action within the "Trackers"   
module the  
application allows to inject arbitrary settings into the   
'config_override.php' file.  
This can be exploited by malicious users to inject and execute arbitrary   
PHP code by  
e.g. setting to .php the file extension for the system log file.  
  
6) When handling the "updatewirelessenabledmodules" action within the   
"Administration"  
module the application allows to inject arbitrary settings into the   
'config_override.php'  
file. This can be exploited by malicious users to inject and execute   
arbitrary PHP code  
by e.g. setting to .php the file extension for the system log file.   
Successful  
exploitation of this vulnerability requires a System Administrator   
account.  
  
  
[-] Solution:  
  
Upgrade to version 9.0.2, 8.0.4, or later.  
  
  
[-] Disclosure Timeline:  
  
[07/02/2019] - Vendor notified  
[01/10/2019] - Versions 9.0.2 and 8.0.4 released  
[10/10/2019] - Publication of this advisory  
  
  
[-] Credits:  
  
Vulnerabilities discovered by Egidio Romano.  
  
  
[-] Original Advisory:  
  
http://karmainsecurity.com/KIS-2019-07  
  
  
[-] Other References:  
  
https://support.sugarcrm.com/Documentation/Sugar_Versions/9.0/Ent/Sugar_9.0.2_Release_Notes