SugarCRM/SugarSales Remote File Include Vulnerability
BID:12191
Info
SugarCRM/SugarSales Remote File Include Vulnerability
| Bugtraq ID: | 12191 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Jan 07 2005 12:00AM |
| Updated: | Jan 07 2005 12:00AM |
| Credit: | Santiago Cortes is credited with the discovery of this vulnerability. |
| Vulnerable: |
SugarCRM SugarSales 2.0.1 c SugarCRM SugarCRM 2.0.1 a SugarCRM SugarCRM 2.0.1 SugarCRM SugarCRM 1.5 d SugarCRM SugarCRM 1.1 f SugarCRM SugarCRM 1.1 e SugarCRM SugarCRM 1.1 d SugarCRM SugarCRM 1.1 c SugarCRM SugarCRM 1.1 b SugarCRM SugarCRM 1.1 a SugarCRM SugarCRM 1.1 SugarCRM SugarCRM 1.0 g SugarCRM SugarCRM 1.0 f SugarCRM SugarCRM 1.0 |
| Not Vulnerable: | |
Discussion
SugarCRM/SugarSales Remote File Include Vulnerability
SUgarCRM and SugarSales are reported prone to a vulnerability that may allow attackers to influence the include path for external files.
This vulnerability allows arbitrary script code to be executed in the context of the web server hosting the affected software. In the case of including local files, this may expose sensitive information. In the case of including remote files, it is possible to include a malicious PHP script from a remote source.
SUgarCRM and SugarSales are reported prone to a vulnerability that may allow attackers to influence the include path for external files.
This vulnerability allows arbitrary script code to be executed in the context of the web server hosting the affected software. In the case of including local files, this may expose sensitive information. In the case of including remote files, it is possible to include a malicious PHP script from a remote source.
Exploit / POC
SugarCRM/SugarSales Remote File Include Vulnerability
An exploit is not required. An example demonstrating this vulnerability is provided:
http://www.example.com/index.php?module=Home&moduleDefaultFile[Home]=[file]
An exploit is not required. An example demonstrating this vulnerability is provided:
http://www.example.com/index.php?module=Home&moduleDefaultFile[Home]=[file]
Solution / Fix
SugarCRM/SugarSales Remote File Include Vulnerability
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.