[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] [KIS-2016-07] SugarCRM <= 6.5.23 (SugarRestSerialize.php) PHP Object Injection Vulnerability
From: Egidio Romano <research () karmainsecurity ! com>
Date: 2016-06-23 22:05:32
Message-ID: 576C5D2C.70609 () karmainsecurity ! com
[Download RAW message or body]
------------------------------------------------------------------------------
SugarCRM <= 6.5.23 (SugarRestSerialize.php) PHP Object Injection Vulnerability
------------------------------------------------------------------------------
[-] Software Link:
http://www.sugarcrm.com/
[-] Affected Versions:
Version 6.5.23 CE and prior versions.
[-] Vulnerability Description:
The vulnerable code is located in the /service/core/REST/SugarRestSerialize.php script:
67. function serve(){
68. $GLOBALS['log']->info('Begin: SugarRestSerialize->serve');
69. $data = !empty($_REQUEST['rest_data'])? $_REQUEST['rest_data']: '';
70. if(empty($_REQUEST['method']) || !method_exists($this->implementation, \
$_REQUEST['method'])){ 71. $er = new SoapError();
72. $er->set_error('invalid_call');
73. $this->fault($er);
74. }else{
75. $method = $_REQUEST['method'];
76. $data = unserialize(from_html($data));
77. if(!is_array($data))$data = array($data);
78. $GLOBALS['log']->info('End: SugarRestSerialize->serve');
User input passed through the "rest_data" request parameter is not properly sanitized before \
being used in a call to the "unserialize()" function at line 76. This can be exploited to \
inject arbitrary PHP objects into the application scope, and could allow unauthenticated \
attackers to execute arbitrary PHP code via specially crafted serialized objects.
[-] Solution:
No official solution is currently available.
NOTE: version 6.5.23 CE includes a fix for this kind of vulnerability. However, the fix is not \
enough to prevent object injection attacks because the input validation check can be bypassed.
[-] Disclosure Timeline:
[12/06/2015] - Vendor notified
[09/03/2016] - Version 6.5.23 released along with a security advisory: \
http://www.sugarcrm.com/security/sugarcrm-sa-2016-001 [13/05/2016] - Vendor notified about the \
ineffective fix [17/06/2016] - CVE number requested
[23/06/2016] - Public disclosure
[-] CVE Reference:
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has not assigned a CVE identifier for this vulnerability.
[-] Credits:
Vulnerability discovered by Egidio Romano.
[-] Original Advisory:
http://karmainsecurity.com/KIS-2016-07
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic