SugarSales Multiple Vulnerabilities


| SugarSales Multiple Vulnerabilities |


Date: 12-11-2004

Author: Daniel Fabian

Product: SugarSales (formerly SugarCRM)

Affected Version: up to 2.0.1c

Vendor: SugarCRM (

Vendor-Status: vendor contacted





Multiple Vulnerabilities have been found in the open source customer

relationship management software SugarSales. These vulnerabilities are:

- Full Path Disclosure

- Install Script

- File Inclusion/Remote Command Execution

- SQL Injection

Some of the vulnerabilities described in this advisory can only be

exploited while logged into SugarSales, however there are also numerious

flaws that can be exploited by a bypasser without the knowledge of a

username or password.





A subset of the vulnerabilities described in this advisory has already

been independendly discovered by James Bercegay and Damon Wood of the

GulfTech Security Research Team. Their advisory can be found at

As they have been first to post some of these flaws, all credits for those

vulnerabilities go to them. It's a first come first serve world. However

as there are some more flaws - most of which can be exploited while not

logged into SugarSales - we post our advisory in addition.



Vendor Status


The vendor has been notified and fixed some of the vulnerabilities we

have reported in version 2.0.1a. Even though we supplied them with an

patch for the other vulnerablities, the patch has been neither applied

to version 2.0.1b nor 2.0.1c. As a result, we are now posting the






SQL Injection



Due to insufficient input validation, an attacker can manipulate the

SQL statements that are sent to the database. Two exploits exist for

this flaw where one can be only used when logged into SugarSales,

however the other one can be used to log into SugarSales.

Both of these vulnerabilities have been fixed in version 2.0.1a.


An attacker can log into Sugarsales using the username "admin' or 1=1

-- " (without the double quotes) and any password.

Retrieving Data:

Once logged in, an attacker can also perform SQL injection to retrieve

data, using a request such as (to be considered one line):

http:// host/sugarcrm/index.php?action=DetailView&module=Opportunities&

Of course as the attacker is already logged in, there is not much use in

performing this SQL injection anyway. All modules seem to be affected.


Full Path Disclosure



A lot of scripts show the full path if unexpected input is encountered.

This allows an attacker to enumerate the system and locate the webroot.

This flaw has not yet been fixed (as of version 2.0.1c).



http:// host/Sugarcrm/phprint.php?jt=fe3e158b220567409e5d8976d34bcdae&module=&action=&record=&lang=de


File Inclusion/Remote Command Execution



Due to insufficient input validation of user input that is used in

include() or require() directives, an attacker is able to disclose

arbitrary files by specifying their path in certain HTTP GET parameters.

Two file inclusions can only be exploited while logged into SugarSales,

however again there are numerious other file inclusion flaws that can be

used by a bypasser without knowledge of a username or password. As with

all such file inclusion flaws, remote command execution is just the blink

of an eye away. If the attacker is able to log in (eg. as described above

using SQL injection) and upload text files or find the webserver log file,

he can gain a comfortable web-shell and take control over the server.

Modules and Actions (only possible when logged in):

http:// host/Sugarcrm/index.php?module=/../../etc/hosts%00&action=EditView

http:// host/Sugarcrm/index.php?module=Calls%00&action=/../../etc/hosts%00

Include files (possible to exploit when not logged in):

http:// host/sugarcrm/modules/Users/Login.php?theme=/../../../etc/hosts%00

http:// host/sugarcrm/modules/Calls/index.php?theme=/../../../etc/hosts%00

This flaw can be found in numerious other files in the modules directory.

Neither of the two flaws has been fixed as of version 2.0.1c.


Install Scripts



After a successful installation of SugarSales, the install script files

are not removed or locked, unless manually deleted by the administrator

of the site. An attacker can use the install scripts to perform a denial

of service attack by dropping the tables and replacing them with the

default ones. However more importantly, the MySQL password can be found

in plaintext on one of the install script forms.



Counter Measures


Until a fix is available, set the following parameters in php.ini:

register_globals = Off

magic_quotes = On

Manually delete the /install directory.





Nov. 17: Notified vendor

Nov. 22: Vendor reply

Nov. 24: Release of 2.0.1a, which fixes only SQL Injection

Nov. 25: Notification to vendor that not all vulnerabilities were fixed

by the patch.

Nov. 28: Supplied vendor with a patch for the file inclusion flaws

Dec. 08: Release of 2.0.1c which still does not fix file inclusion flaws

Dec. 13: Disclosure of the vulnerabilities





SEC Consult Unternehmensberatung GmbH

Büro Wien

Blindengasse 3

A-1080 Wien


Tel.: +43 / 1 / 409 0307 - 570

Fax.: +43 / 1 / 409 0307 - 590

Mail: office at sec-consult dot com


EOF Daniel Fabian / @2004

d.fabian at sec-consult dot com