Sugar Suite "sugarEntry" Parameter Security Bypass

[mikeshinn]

Secunia is reporting a vulnerability in Sugar Suite, that may allow remote code uploads to effected servers. The details are here: http://secunia.com/advisories/20072/

This only appears to effect systems with "register_globals" set to On, which is not required for Sugar to work and htaccess should include register_globals off, so this shouldn't effect anyone really, but hey you never know. If you are concerned about this effecting your system, and you dont have time to patch, change your php.ini, check your .htaccess, etc. you can use mod_security to block these attacks with these signatures:


#Sugar Suite "sugarEntry" Parameter Security Bypass
SecFilterSelective REQUEST_URI "/modules/.*/.*\.php\?GLOBALS\[sugarEntry\].*((ht|f)tps?:/|\.\./\.\.)" "id:390054,rev:1,severity:2,msg:'JITP: Sugar Suite sugarEntry Parameter Security Bypass'"
SecFilterSelective REQUEST_URI "/modules/.*/.*\.php\?cmd=.*GLOBALS\[sugarEntry\].*((ht|f)tps?:/|\.\./\.\.)" "id:390055,rev:1,severity:2,msg:'JITP: Sugar Suite sugarEntry Parameter Security Bypass'"

For instructions on how to setup mod_security, please feel free to visit:

http://www.gotroot.com/tiki-index.ph...security+rules

Its pretty simple, and most of the newer Linux distributions come with mod_security, or allow you to download binaries for easy install.

[andydreisch]

Thanks for the heads up, mikeshinn. We'll look into this right away.

Andy

[andydreisch]

Hi mikeshinn, as you point out, even though "register_globals" is required to be ON for this vulnerability to occur, we've looked into it anyway and determined that we can address this issue in code as well, just in case.

(Edit: You also have to set Allow Override to Off in Apache)

That we're doing.

Expect a patch to 4.0.1 and 4.2 product releases within the next days/week.

Thanks again for the heads up.

Andy

[clint]

Hi all -

4.2.0 Patch B has been released which contains a code fix for this reported issue.

Here's the pointer to the release announcement:
http://www.sugarcrm.com/forums/showthread.php?t=12393

Expect a 4.0.1 Patch G in the next few days.

Regards,
Clint

[filcole]

This is confusing me. I've just downloaded a full install of SugarSuite-4.2.0d and index.php still starts with

Code:

$GLOBALS['sugarEntry'] = true;

instead of

Code:

if(!defined('sugarEntry'))define('sugarEntry', true);

as explained in the forums here: http://www.sugarcrm.com/forums/showthread.php?t=12621

Does the full install of SugarSuite 4.2.0d need to be updated?

Edit: The answer is here: http://www.sugarcrm.com/forums/showp...74&postcount=5