[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [FD] [KIS-2016-03] SugarCRM <= 6.5.18 (SAML Authentication) XML External Entity Vulnerability
From:       Egidio Romano <research () karmainsecurity ! com>
Date:       2016-06-23 22:00:17
Message-ID: 576C5BF1.8050005 () karmainsecurity ! com
[Download RAW message or body]

--------------------------------------------------------------------------
SugarCRM <= 6.5.18 (SAML Authentication) XML External Entity Vulnerability
--------------------------------------------------------------------------


[-] Software Link:

http://www.sugarcrm.com/


[-] Affected Versions:

Version 6.5.18 CE and prior versions.


[-] Vulnerability Description:

The vulnerable code is located in the constructor method of the "SamlResponse" class:

63.	function __construct($settings, $assertion) {
64.	  $this->settings = $settings;
65.	  $this->assertion = base64_decode($assertion);
66.	  $this->xml = new DOMDocument();
67.	  $this->xml->loadXML($this->assertion);
68.	}
	

Which is being called by the "authenticateUser" method of the "SAMLAuthenticateUser" class:

75.	$samlresponse = new SamlResponse($settings, $_POST['SAMLResponse']);

User input passed through the "SAMLResponse" POST parameter isn't properly sanitized before being used in a call
to the "DOMDocument::loadXML()" method, and there are no calls to the "libxml_disable_entity_loader()" function.
This can be exploited by unauthenticated attackers to carry out XML External Entity (XXE) attacks. Successful
exploitation of this vulnerability requires SAML authentication to be enabled (disabled by default).


[-] Solution:

Update to version 6.5.19 CE or higher.


[-] Disclosure Timeline:

[15/10/2014] - Vendor notified
[18/10/2014] - Vendor acknowledgement
[15/12/2014] - Version 6.5.19 CE released: http://bit.do/sugar6519
[29/04/2015] - CVE number requested
[23/06/2016] - Public disclosure


[-] CVE Reference:

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has not assigned a CVE identifier for this vulnerability.


[-] Credits:

Vulnerability discovered by Egidio Romano.


[-] Original Advisory:

http://karmainsecurity.com/KIS-2016-03


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic