Results 1 to 1 of 1

Thread: Critical security vulnerability

  1. 2011-11-25, 12:23 AM #1
    EgiX
    EgiX is offline Junior Member
    Join Date
    Nov 2011
    Posts
    1

    Default Critical security vulnerability

    Hi,
    my name is Egidio Romano (aka EgiX) and I'm a freelance web application security researcher.
    I found a critical security vulnerability in SugarCRM CE, but I think that affects also other editions.

    I tested and successfully exploited these versions:

    SugarCE-5.5.1
    SugarCE-5.5.4
    SugarCE-6.1.7
    SugarCE-6.2.4
    SugarCE-6.3.0
    SugarCE-6.4.0beta6

    This vulnerability allows authenticated users to delete or overwrite arbitrary files owned by the webserver,
    and this could lead also to execution of arbitrary PHP code, so a full system compromise would be possible.

    According to SugarCRM Security Policy I've notified this vulnerability to secure@sugarcrm.com two times:
    the first on 5th November 2011 and the second on 19th November 2011, but still no response received!!

    Please feel free to contact me privately for coordinating a responsible disclosure.

    Regards,
    EgiX
    Last edited by EgiX; 2012-02-01 at 02:07 AM.
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Critical problem with JbossESB
    By desbonns62 in forum Help
    Replies: 2
    Last Post: 2009-03-17, 09:33 AM
  2. Security vulnerability addressed in 3.5.1e
    By clint in forum General Discussion
    Replies: 0
    Last Post: 2005-12-10, 06:37 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules