SugarCRM Security Exploits

Seeing as the SugarCRM folks failed to announce this on their own site, I would like to announce the release of SugarCRM 3.5.0b.

This release fixes a serious security flaw, allowing escalated permissions for anybody with an account. Some of the accessible pages allow you to upload your own code and execute it.

Essentially, the exploit is loading certain admin pages (by passing the correct GET args) which failed to check for Administrator level permissions.

I would love to say that I helped fix this issue etc, but when I got in contact with the folks at SugarCRM they were in the process of getting 3.5.0b out the door and when we tested my findings, they had already patched it, so good job!

I urge everybody using SugarCRM to upgrade as soon as possible, but please be aware that this exploit can only be taken advantage of if a user already has an account in your system.

- Davey

Comments are closed.

Twitter

@dshafik Yeah, I have immediate uses for traits. I like namespaces, but they're boring. OTOH, closures + traits == yummy.
@weierophinney [1 hour ago]

@EliW pfft, use the iPhone app and 3G ;)
@dshafik [1 hour ago]

@weierophinney traits are what I'm excited for also, was bummed they didn't make 5.3, *far* more existing than namespaces.
@dshafik [1 hour ago]

@dshafik Thank you very much, my friend. :) My friendships are the best gifts I could ever receive.
@elazar [8 hours ago]

Happy Birthday @Elazar ! Many happy returns for the day and good wishes for the year ahead my friend! :)
@dshafik [15 hours ago]

Books & Things

php|architect's Zend PHP 5 Certification Study Guide

The PHP Anthology: 101 Essential Tips, Tricks & Hacks

Developer. Thinker. Writer. Speaker.