Full Disclosure mailing list archives

[KIS-2019-04] SugarCRM <= 9.0.1 Multiple SQL Injection Vulnerabilities

From: Egidio Romano <research () karmainsecurity com>
Date: Thu, 10 Oct 2019 20:37:17 +0200

--------------------------------------------------------
SugarCRM <= 9.0.1 Multiple SQL Injection Vulnerabilities
--------------------------------------------------------


[-] Software Link:

https://www.sugarcrm.com


[-] Affected Versions:

Version 9.0.1 and prior versions, 8.0.3 and prior versions.


[-] Vulnerabilities Description:

1) User input passed to the "/pmse_Inbox/changeCaseUser" REST APIendpoint

is not properly sanitized before being used to construct a SQL query.
This can be exploited by malicious users to e.g. read sensitive data
from the database through in-band SQL Injection attacks.

2) User input passed to the "/pmse_Project/CrmData/activities" REST APIendpointis not properly sanitized before being used to construct a SQL query.This canbe exploited by malicious users to e.g. read sensitive data from thedatabase

through in-band SQL Injection attacks.

3) User input passed to the "/pmse_Project/CrmData/emails" REST APIendpoint isnot properly sanitized before being used to construct a SQL query. Thiscan beexploited by malicious users to e.g. read sensitive data from thedatabase

through in-band SQL Injection attacks.

4) User input passed to the "/pmse_Project/CrmData/emailtemplates" RESTAPIendpoint is not properly sanitized before being used to construct a SQLquery.This can be exploited by malicious users to e.g. read sensitive datafrom the

database through in-band SQL Injection attacks.

5) User input passed to the "/pmse_Project/CrmData/users" REST APIendpoint isnot properly sanitized before being used to construct a SQL query. Thiscan beexploited by malicious users to e.g. read sensitive data from thedatabase

through in-band SQL Injection attacks.

6) User input passed through the "pro_module" JSON parameter to the

"/pmse_Project/CrmData/putData" REST API endpoint is not properlysanitizedbefore being used to construct a SQL query. This can be exploited bymalicious

users to e.g. read sensitive data from the database through time-based
Blind SQL Injection attacks.

7) User input passed through the "cas_id" and "cas_index" parameters tothe"/pmse_Project/CrmData/validateReclaimCase" REST API endpoint is notproperlysanitized before being used to construct a SQL query. This can beexploited by

malicious users to e.g. read sensitive data from the database through
time-based Blind SQL Injection attacks.

8) The vulnerability exists because the "/modules/Emails/Grab.php"script isusing the "group_id" field of an "InboundEmail" bean to construct a SQLquerywithout being properly sanitized, and such value can be arbitrarilymanipulatedthrough the MergeRecords module. This can be exploited by malicioususers toe.g. read sensitive data from the database through boolean-basedsecond-order

SQL Injection attacks.

9) The vulnerability exists because the "/[module]/export" REST APIendpoint isusing a value that can be arbitrarily manipulated through the"/[module]/record_list"endpoint to construct a SQL query without being properly sanitized. Thiscan beexploited by malicious users to e.g. read sensitive data from thedatabase

through in-band second-order SQL Injection attacks.

10) User input passed through the "order_by" parameter to the"/link/history" RESTAPI endpoint is not properly sanitized before being used to construct aSQL query.This can be exploited by malicious users to e.g. read sensitive datafrom the

database through time-based Blind SQL Injection attacks.

11) The vulnerability exists because the"PersonFormBase::checkForDuplicates()"method is using certain POST parameters to construct a SQL query withoutbeingproperly sanitized. This can be exploited by malicious users to e.g.read sensitive

data from the database through time-based SQL Injection attacks.

12) User input passed through the "act_name" JSON parameter to the"/pmse_Inbox"REST API endpoint is not properly sanitized before being used toconstruct a SQLquery. This can be exploited by malicious users to e.g. read sensitivedata from

the database through time-based Blind SQL Injection attacks.

13) User input passed to the "/pmse_Inbox/processUsersChart" REST APIendpoint isnot properly sanitized before being used to construct a SQL query. Thiscan beexploited by malicious users to e.g. read sensitive data from thedatabase throughin-band SQL Injection attacks. Successful exploitation of thisvulnerabilityrequires an user account with Admin/Developer access to the "Processes"module.

14) User input passed through the "deal_tot_discount_percentage" JSONparameter tothe "/Quotes" REST API endpoint is not properly sanitized before beingused toconstruct a SQL query. This can be exploited by malicious users to e.g.readsensitive data from the database through time-based Blind SQL Injectionattacks.

15) User input passed through the "q" parameter to the"/pmse_Inbox/unattendedCases"REST API endpoint is not properly sanitized before being used toconstruct a SQLquery. This can be exploited by malicious users to e.g. read sensitivedata fromthe database through in-band SQL Injection attacks. Successfulexploitation ofthis vulnerability requires an user account with Admin/Developer accessto

the "Processes" module.

16) User input passed to the "/pmse_Inbox/userListByTeam" REST APIendpoint is notproperly sanitized before being used to construct a SQL query. This canbe exploited

by malicious users to e.g. read sensitive data from the database through
in-band SQL Injection attacks.


[-] Solution:

Upgrade to version 9.0.2, 8.0.4, or later.


[-] Disclosure Timeline:

[07/02/2019] - Vendor notified
[01/10/2019] - Versions 9.0.2 and 8.0.4 released
[10/10/2019] - Publication of this advisory


[-] Credits:

Vulnerabilities discovered by Egidio Romano.


[-] Original Advisory:

http://karmainsecurity.com/KIS-2019-04


[-] Other References:

https://support.sugarcrm.com/Documentation/Sugar_Versions/9.0/Ent/Sugar_9.0.2_Release_Notes

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Current thread:

[KIS-2019-04] SugarCRM <= 9.0.1 Multiple SQL Injection Vulnerabilities Egidio Romano (Oct 10)