---------------------------------------------------------------- SugarCRM <= 9.0.1 Multiple Broken Access Control Vulnerabilities ---------------------------------------------------------------- [-] Software Link: https://www.sugarcrm.com [-] Affected Versions: Version 9.0.1 and prior versions, 8.0.3 and prior versions. [-] Vulnerabilities Description: 1) There is a Broken Access Control vulnerability with regards to the "InboundEmail" module. When handling the "Save" action the application fails to properly check whether the user has Admin access to the module, thus allowing any user to create a new "InboundEmail" bean regardless of their roles/permissions. 2) There is a Broken Access Control vulnerability with regards to the "Trackers" module. When handling the "trackersettings" action the application fails to properly check whether the user has Admin access to the module, thus allowing any user to change Trackers' settings regardless of their roles/permissions 3) There is a Broken Access Control vulnerability with regards to the "Campaigns" module. When handling the "WizardEmailSetupSave" action the application fails to properly check whether the user has Admin access to the module, thus allowing any user to change Email Setup for Campaigns regardless of their roles/permissions. 4) There is a Broken Access Control vulnerability with regards to the "ModuleBuilder" module. When the "view_module" parameter is set to an empty string, the application fails to properly check whether the user has permissions to access the module, thus allowing any user to access certain ModuleBuilder actions regardless of their roles. 5) There is a Broken Access Control vulnerability with regards to the "Administration" module. When handling the "SaveMerge" action within the "MergeRecords" module the application fails to properly check whether the user is a System Administrator, thus allowing unauthorized users to inject arbitrary "Administration" beans (which means arbitrary values into the "config" database table). Successful exploitation of this vulnerability requires an user account with Developer access to any module. 6) There is a Broken Access Control vulnerability with regards to the "Administration" module. When handling the "Save" action within the "EmailMan" module the application allows unauthorized users to modify administration settings by invoking the "Administration::saveConfig()" method. Successful exploitation of this vulnerability requires an user account with Developer access to the Emails or Campaigns modules. 7) There is a Broken Access Control vulnerability with regards to the "Administration" module. When handling the "WizardEmailSetupSave" action within the "Campaigns" module the application allows unauthorized users to modify administration settings by invoking the "Administration::saveConfig()" method. 8) There is a Local File Inclusion vulnerability within the "add_to_prospect_list" function. User input passed through the "parent_module" and "parent_type" parameters is not properly sanitized before being used in a call to the include() function. This can be exploited to include arbitrary .php files within the webroot and potentially bypass authorization mechanisms (for instance, by setting the "parent_module" parameter to "Administration" and the "parent_type" parameter to "expandDatabase" or any other action which does not implement ACL checks). [-] Solution: Upgrade to version 9.0.2, 8.0.4, or later. [-] Disclosure Timeline: [07/02/2019] - Vendor notified [01/10/2019] - Versions 9.0.2 and 8.0.4 released [10/10/2019] - Publication of this advisory [-] Credits: Vulnerabilities discovered by Egidio Romano. [-] Original Advisory: http://karmainsecurity.com/KIS-2019-05 [-] Other References: https://support.sugarcrm.com/Documentation/Sugar_Versions/9.0/Ent/Sugar_9.0.2_Release_Notes