bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/php/webapps/40027.txt
Offensive Security e9145685e4 DB: 2016-06-28 
14 new exploits

Linux Netcat Reverse Shell - 32bit - 77 bytes

XM Easy Personal FTP Server 5.8 - (HELP) Remote DoS Vulnerability

Linux x86_64 execve Shellcode - 15 bytes
WordPress Ultimate Product Catalog Plugin 3.8.6 - Arbitrary File Upload
OPAC KpwinSQL - SQL Injection
Magnet Networks Tesley CPVA 642 Router – Weak WPA-PSK Passphrase Algorithm
Option CloudGate CG0192-11897 - Multiple Vulnerabilities
Kagao 3.0 - Multiple Vulnerabilities
Panda Security Multiple Products - Privilege Escalation
MyLittleForum 2.3.5 - PHP Command Injection
iBilling 3.7.0 - Stored and Reflected XSS
PInfo 0.6.9-5.1 - Local Buffer Overflow
BigTree CMS 4.2.11 - SQL Injection
HNB 1.9.18-10 - Local Buffer Overflow
Linux x86 /bin/sh Shellcode + ASLR Bruteforce
SugarCRM 6.5.18 - PHP Code Injection
Riverbed SteelCentral NetProfiler & NetExpress 10.8.7 - Multiple Vulnerabilities
2016-06-28 05:03:46 +00:00

83 lines
No EOL
2.6 KiB
Text
Executable file
Raw Blame History

---------------------------------------------------------
SugarCRM <= 6.5.18 Two PHP Code Injection Vulnerabilities
---------------------------------------------------------
[-] Software Link:
http://www.sugarcrm.com/
[-] Affected Versions:
Version 6.5.18 CE and prior versions.
[-] Vulnerabilities Description:
1) The vulnerable code is located in the /include/utils/array_utils.php script:
99. function override_value_to_string_recursive2($array_name, $value_name, $value, $save_empty = true) {
100. if (is_array($value)) {
101. $str = '';
102. $newArrayName = $array_name . "['$value_name']";
103. foreach($value as $key=>$val) {
104. $str.= override_value_to_string_recursive2($newArrayName, $key, $val, $save_empty);
105. }
106. return $str;
107. } else {
108. if(!$save_empty && empty($value)){
109. return;
110. }else{
111. return "\$$array_name" . "['$value_name'] = " . var_export($value, true) . ";\n";
112. }
113. }
114. }
The "override_value_to_string_recursive2()" function is being used to save an array into a configuration file with a .php
extension. However, this function does not properly escape key names, and this can be exploited to inject and execute
arbitrary PHP code through e.g. the following URL, which will write arbitrary PHP code into the config_override.php file:
http://[host]/[sugar]/index.php?module=Connectors&action=RunTest&source_id=ext_rest_insideview&ext_rest_insideview_[%27.phpinfo().%27]=1
2) The vulnerable code is located in the /modules/UpgradeWizard/upload.php script:
117. $manifest_file = extractManifest($tempFile);
118.
119. if(is_file($manifest_file)) {
120. require_once( $manifest_file );
The vulnerability is caused by the Upgrade Wizard module, which allows to upload a package with an arbitrary manifest.php
file that will be executed by the application. This can be exploited by authenticated administrator users to upload and
execute arbitrary PHP code.
[-] Solution:
Update to version 6.5.19 CE or higher to mitigate the first vulnerability.
No official solution is currently available for the second vulnerability.
[-] Disclosure Timeline:
[29/10/2014] - Vendor notified
[15/12/2014] - Version 6.5.19 CE released: http://bit.do/sugar6519
[29/04/2015] - CVE number requested
[23/06/2016] - Public disclosure
[-] CVE Reference:
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has not assigned a CVE identifier for these vulnerabilities.
[-] Credits:
Vulnerabilities discovered by Egidio Romano.
[-] Original Advisory:
http://karmainsecurity.com/KIS-2016-05
Reference in a new issue View git blame Copy permalink