SugarCRM Community Edition 6.5.2 (Build 8410) multiple vulnerabilities

There are multiple security vulnerabilities in SugarCRM Community Edition 6.5.2 (Build 8410) which may allow an attacker to take control of the software.

Software

Software Link: http://sugarcrm.com/

Vulnerable Versions: 6.5.2 (Build 8410)

Vendor Notification:

# 2012-07-26 -> secure@sugarcrm.com

# 2012-07-27 <- vendor confirmed receipt

# 2012-07-29 -> request for patch date

# 2012-07-31 <- vendor advised issues will be patched in 6.5.3

# 2012-08-24 -- vendor released 6.5.3

# 2012-08-30 -- advisory released

SugarCRM Community Edition 6.5.2 (Build 8410) comes in multiple flavors:

# Information Disclosure # Full Path Disclosure # Unauthenticated

The application creates the following file once any user has authenticated and completed the "wizard" introduction.

This file leaks some application details including the local file path.

# Information Disclosure # Username Enumeration # Unauthenticated

Unauthenticated users can enumerate valid usernames and user e-mail addresses.

The following proof of concept is available:

# Information Disclosure # User Schedules # Unauthenticated

By default all users have an empty key for the iCalendar allowing unauthenticated users to see users' schedules.

# Persistent Cross-Site Scripting (XSS) # Authenticated - User Role

The following proof of concept is available:

# Persistent Cross-Site Scripting (XSS) # Authenticated - User Role

The following proof of concept is available:

# Information Disclosure # User Hash Disclosure # Authenticated - User Role

An authenticated user can view the password hashes of all users.

The following proof of concept is available:

# Blind SQL Injection # Authenticated - User Role

# MySQL on Windows and Linux

The following proof of concept is available:

# MSSQL on Windows

The following proof of concept is available:

# Remote Command Execution # Authenticated - User Role

# MySQL on Windows

The default MySQL configuration allows arbitrary command execution, if it is running on the same host as the web server, by leveraging the aforementioned blind SQL injection.

The following proof of concept is available:

# MSSQL on Windows

The default MSSQL configuration allows arbitrary command execution on the database server by leveraging the aforementioned blind SQL injection.

The following proof of concept is available:

# MySQL on Linux

By default the database user does not have write access to the web root in the FastStack Linux Installer.

# Remote Command Execution # Authenticated - Administrator Role

A user with Administrator roles can execute arbitrary commands by abusing the logging functionality.

The following proof of concept is available:

Reference

# OWASP: Information Leakage

# OWASP: Full Path Disclosure

# OWASP: Code Injection

# OWASP: Blind SQL Injection

Appendix

[TXT] SugarCRM Community Edition 6.5.2 (Build 8410) multiple vulnerabilities