SugarCRM Security Exploits
Seeing as the SugarCRM folks failed to announce this on their own site, I would like to announce the release of SugarCRM 3.5.0b.
This release fixes a serious security flaw, allowing escalated permissions for anybody with an account. Some of the accessible pages allow you to upload your own code and execute it.
Essentially, the exploit is loading certain admin pages (by passing the correct GET args) which failed to check for Administrator level permissions.
I would love to say that I helped fix this issue etc, but when I got in contact with the folks at SugarCRM they were in the process of getting 3.5.0b out the door and when we tested my findings, they had already patched it, so good job!
I urge everybody using SugarCRM to upgrade as soon as possible, but please be aware that this exploit can only be taken advantage of if a user already has an account in your system.
- Davey
@JillyEnFuego it's where they pretend a bunch of folks survived the apocalypse and what they have to do to survive; reality style
@dshafik [11 hours ago]
@dshafik Oooh! See that's why I have to DVR things, I can't keep up with when shows come on.
@tattooedmommie [13 hours ago]
@tattooedmommie it started last night...
@dshafik [13 hours ago]
@dshafik hahahaha.. doesn't everyone?
@beth_warren [14 hours ago]
@david973 I've known her 14 years; so I'm not far behind :P
@dshafik [14 hours ago]
Books & Things
