SugarCRM Security Exploits
Seeing as the SugarCRM folks failed to announce this on their own site, I would like to announce the release of SugarCRM 3.5.0b.
This release fixes a serious security flaw, allowing escalated permissions for anybody with an account. Some of the accessible pages allow you to upload your own code and execute it.
Essentially, the exploit is loading certain admin pages (by passing the correct GET args) which failed to check for Administrator level permissions.
I would love to say that I helped fix this issue etc, but when I got in contact with the folks at SugarCRM they were in the process of getting 3.5.0b out the door and when we tested my findings, they had already patched it, so good job!
I urge everybody using SugarCRM to upgrade as soon as possible, but please be aware that this exploit can only be taken advantage of if a user already has an account in your system.
- Davey
@dshafik Anytime tools are released that give just anyone the ability to do something without coding, programmers see a pay cut in contracts
@fasterkitty [2 hours ago]
@fasterkitty I think that depends on the quality of the apps the Flash folks put out...
@dshafik [2 hours ago]
@fasterkitty from what I hear, they are already culling apps that violate the Desktop/Widget rule. For example: http://bit.ly/cb3l0B
@dshafik [2 hours ago]
Looking for a design, thinking of using 99designs; unless someone I know wants to do some work for me? (for pay!)
@dshafik [3 hours ago]
@dshafik can you please call our support, so that we could help you with those issues?
@EyeFiCard [6 hours ago]
Books & Things
