Share
---------------------------------------------------------------  
SugarCRM <= 9.0.1 Multiple Phar Deserialization Vulnerabilities  
---------------------------------------------------------------  
  
  
[-] Software Link:  
  
https://www.sugarcrm.com  
  
  
[-] Affected Versions:  
  
Version 9.0.1 and prior versions, 8.0.3 and prior versions.  
  
  
[-] Vulnerabilities Description:  
  
1) User input passed through the "backup_dir" parameter when handling   
the  
"Backups" action within the "Administration" module is not properly   
sanitized  
before being used in a file operation. This can be exploited by   
malicious users  
to inject arbitrary PHP objects into the application scope (PHP Object   
Injection  
via phar:// stream wrapper), allowing them to carry out a variety of   
attacks,  
such as executing arbitrary PHP code. Successful exploitation of this  
vulnerability requires a System Administrator account.  
  
2) User input passed through the "file_name" parameter when handling the   
"step3"  
action within the "Import" module is not properly sanitized before being   
used in  
a file operation. This can be exploited by malicious users to inject   
arbitrary  
PHP objects into the application scope (PHP Object Injection via phar://   
stream  
wrapper), allowing them to carry out a variety of attacks, such as   
executing  
arbitrary PHP code.  
  
3) User input passed through the "importFile" parameter when handling   
the  
"RefreshMapping" action within the "Import" module is not properly   
sanitized  
before being used in a file operation. This can be exploited by   
malicious users  
to inject arbitrary PHP objects into the application scope (PHP Object   
Injection  
via phar:// stream wrapper), allowing them to carry out a variety of   
attacks,  
such as executing arbitrary PHP code.  
  
4) User input passed through the "load_module_from_dir" parameter when   
handling  
the "UpgradeWizard" action within the "Administration" module is not   
properly  
sanitized before being used in a file operation. This can be exploited   
by malicious  
users to inject arbitrary PHP objects into the application scope (PHP   
Object  
Injection via phar:// stream wrapper), allowing them to carry out a   
variety of  
attacks, such as executing arbitrary PHP code. Successful exploitation   
of this  
vulnerability requires a System Administrator account.  
  
5) User input passed through the "file_name" parameter when handling the  
"UploadFileCheck" action within the "UpgradeWizard" module is not   
properly  
sanitized before being used in a file operation. This can be exploited   
by  
malicious users to inject arbitrary PHP objects into the application   
scope  
(PHP Object Injection via phar:// stream wrapper), allowing them to   
carry  
out a variety of attacks, such as executing arbitrary PHP code.  
  
  
[-] Solution:  
  
Upgrade to version 9.0.2, 8.0.4, or later.  
  
  
[-] Disclosure Timeline:  
  
[07/02/2019] - Vendor notified  
[01/10/2019] - Versions 9.0.2 and 8.0.4 released  
[10/10/2019] - Publication of this advisory  
  
  
[-] Credits:  
  
Vulnerabilities discovered by Egidio Romano.  
  
  
[-] Original Advisory:  
  
http://karmainsecurity.com/KIS-2019-09  
  
  
[-] Other References:  
  
https://support.sugarcrm.com/Documentation/Sugar_Versions/9.0/Ent/Sugar_9.0.2_Release_Notes