SugarCRM 6.5.18 SAML Authentication XML External Entity

2016.06.24
Credit: Egidio Romano
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

-------------------------------------------------------------------------- SugarCRM <= 6.5.18 (SAML Authentication) XML External Entity Vulnerability -------------------------------------------------------------------------- [-] Software Link: http://www.sugarcrm.com/ [-] Affected Versions: Version 6.5.18 CE and prior versions. [-] Vulnerability Description: The vulnerable code is located in the constructor method of the "SamlResponse" class: 63. function __construct($settings, $assertion) { 64. $this->settings = $settings; 65. $this->assertion = base64_decode($assertion); 66. $this->xml = new DOMDocument(); 67. $this->xml->loadXML($this->assertion); 68. } Which is being called by the "authenticateUser" method of the "SAMLAuthenticateUser" class: 75. $samlresponse = new SamlResponse($settings, $_POST['SAMLResponse']); User input passed through the "SAMLResponse" POST parameter isn't properly sanitized before being used in a call to the "DOMDocument::loadXML()" method, and there are no calls to the "libxml_disable_entity_loader()" function. This can be exploited by unauthenticated attackers to carry out XML External Entity (XXE) attacks. Successful exploitation of this vulnerability requires SAML authentication to be enabled (disabled by default). [-] Solution: Update to version 6.5.19 CE or higher. [-] Disclosure Timeline: [15/10/2014] - Vendor notified [18/10/2014] - Vendor acknowledgement [15/12/2014] - Version 6.5.19 CE released: http://bit.do/sugar6519 [29/04/2015] - CVE number requested [23/06/2016] - Public disclosure [-] CVE Reference: The Common Vulnerabilities and Exposures project (cve.mitre.org) has not assigned a CVE identifier for this vulnerability. [-] Credits: Vulnerability discovered by Egidio Romano. [-] Original Advisory: http://karmainsecurity.com/KIS-2016-03

References:

http://karmainsecurity.com/KIS-2016-03


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top