-------------------------------------------------------------------------- SugarCRM <= 6.5.18 (SAML Authentication) XML External Entity Vulnerability -------------------------------------------------------------------------- [-] Software Link: http://www.sugarcrm.com/ [-] Affected Versions: Version 6.5.18 CE and prior versions. [-] Vulnerability Description: The vulnerable code is located in the constructor method of the "SamlResponse" class: 63. function __construct($settings, $assertion) { 64. $this->settings = $settings; 65. $this->assertion = base64_decode($assertion); 66. $this->xml = new DOMDocument(); 67. $this->xml->loadXML($this->assertion); 68. } Which is being called by the "authenticateUser" method of the "SAMLAuthenticateUser" class: 75. $samlresponse = new SamlResponse($settings, $_POST['SAMLResponse']); User input passed through the "SAMLResponse" POST parameter isn't properly sanitized before being used in a call to the "DOMDocument::loadXML()" method, and there are no calls to the "libxml_disable_entity_loader()" function. This can be exploited by unauthenticated attackers to carry out XML External Entity (XXE) attacks. Successful exploitation of this vulnerability requires SAML authentication to be enabled (disabled by default). [-] Solution: Update to version 6.5.19 CE or higher. [-] Disclosure Timeline: [15/10/2014] - Vendor notified [18/10/2014] - Vendor acknowledgement [15/12/2014] - Version 6.5.19 CE released: http://bit.do/sugar6519 [29/04/2015] - CVE number requested [23/06/2016] - Public disclosure [-] CVE Reference: The Common Vulnerabilities and Exposures project (cve.mitre.org) has not assigned a CVE identifier for this vulnerability. [-] Credits: Vulnerability discovered by Egidio Romano. [-] Original Advisory: http://karmainsecurity.com/KIS-2016-03