SugarCRM 12.2.0 Shell Upload

2023.08.23
Credit: EgiX
Risk: High
Local: No
Remote: Yes
CVE: CVE-2023-35808
CWE: CWE-264

----------------------------------------------------------------- SugarCRM <= 12.2.0 (Notes) Unrestricted File Upload Vulnerability ----------------------------------------------------------------- [-] Software Link: https://www.sugarcrm.com [-] Affected Versions: Version 12.2.0 and prior versions. Version 12.0.2 and prior versions. Version 11.0.5 and prior versions. [-] Vulnerability Description: When handling the "save" action within the "Notes" module the application allows uploading of any kind of file into the /upload/ directory. This one is protected by the main SugarCRM .htaccess file, i.e. it doesn't allow access/execution for PHP files. However, this behaviour can be overridden if a subdirectory contains another .htaccess file. So, an attacker can leverage the vulnerability to firstly upload a new .htaccess file and then to upload the PHP code they want to execute. [-] Proof of Concept: https://karmainsecurity.com/pocs/CVE-2023-35808.php [-] Solution: Upgrade to version 12.3.0, 12.0.3, 11.0.6, or later. [-] Disclosure Timeline: [14/02/2023] - Vendor notified [12/04/2023] - Fixed versions released [17/06/2023] - CVE number assigned [23/08/2023] - Publication of this advisory [-] CVE Reference: The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2023-35808 to this vulnerability. [-] Credits: Vulnerability discovered by Egidio Romano. [-] Original Advisory: http://karmainsecurity.com/KIS-2023-05 [-] Other References: https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2023-006/


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top