SugarCRM Unspecified SQL Injection Vulnerability

[kinshibuya]

Hi!
I got this e-mail, warning about an SQL vulnerability in sugarcrm. is this true? Am i obrigated to update to 5.2h of is there a pacth to solve this?

Do you have VARM strategy implemented?

(Vulnerability Assessment Remediation Management)

If not, then implement it through the most reliable vulnerability intelligence source on the market.

Implement it through Secunia.

For more information visit:
http://secunia.com/advisories/business_solutions/

Alternatively request a call from a Secunia representative today to discuss how we can help you with our capabilities contact us at:
sales@secunia.com

----------------------------------------------------------------------

TITLE:
SugarCRM Unspecified SQL Injection Vulnerability

SECUNIA ADVISORY ID:
SA36423

VERIFY ADVISORY:
http://secunia.com/advisories/36423/

DESCRIPTION:
A vulnerability has been reported in SugarCRM, which can be exploited by malicious users to conduct SQL injection attacks.

Certain unspecified input is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

The vulnerability is reported in versions 5.2.0g and prior, 5.0.0k and prior, and 4.5.1o and prior.

SOLUTION:
Update to version 5.2.0h, 5.0.0l, or 4.5.1p.

PROVIDED AND/OR DISCOVERED BY:
Takeshi Terada of Mitsui Bussan Secure Directions, reported via JPCERT/CC

ORIGINAL ADVISORY:
JVN:
http://jvn.jp/en/jp/JVN31035930/index.html
http://jvndb.jvn.jp/en/contents/2009...09-000056.html

SugarCRM:
http://www.sugarcrm.com/forums/showthread.php?t=50907
http://www.sugarcrm.com/forums/showthread.php?t=50953

----------------------------------------------------------------------

About:
This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities.

Subscribe:
http://secunia.com/advisories/secuni...ty_advisories/

Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/


Please Note:
Secunia recommends that you verify all advisories you receive by clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only use those supplied by the vendor.

[Angel]

It is real. If you use e-mail in Sugar, you should definitely upgrade.

[kinshibuya]

Hi.
Thanks for the reply, And version 5.2.i also has this vulnerability.
And what kind of email? I use campaigns
Could you give more details on how this vulnerability works?

[roblaus]

As it was said in your quoted mail (and by Sugar itself albeit without any reasons given): An upgrade to patch h or i should fix this issue.

In my opinion such a vulnerability can only be exploited in the moment an email is imported into Sugar because that's the only possibility how outside code (hidden in an html email) may come in contact with your database.

Since campaigns do import emails (via the bounce settings) they may pose a threat.

But specialists may explain this better and in more detail...

[kinshibuya]

Ok. thanks for the reply! my sugar is too customized, i will upgrade on the future release of 5.3. I dont work with incoming emails just with sending email throw campaigns and geting click thru link, All users are restricted to import anything. Thanks for the reply you all.

[nutri]

I'm sure about the vulnerability and I do not use e-mail capabilities in Sugar but, probably used as mail client, receiving and viewing an email could be exploitable, not only importing mails. In the advisory there's no details about exploitation and I think, although some places said remote+no authentication, that's not correct.
Anyway, if SQL Injection exists, as it is, update.

[judgej]

I know this is an ancient thread, but I'm on 6.2.0 and I have noticed the SOAP API has an SQL injection vulnerability (I noticed because an Outlook plugin was sending emails with quotes in, and resulting in database errors).

So - did this never get fixed? Is it perhaps a different vulnerability? Why on earth is there ANY code in Sugar that allows this to happen? Does Sugar not used a database layer to handle all escaping and inserting of parameters into SQL? It just seems like one of those golden rules that we web developers had learnt a decade ago - it is unbelievable that SQL injection gets to see the light of day still.

-- Jason

[Angel]

Well, in the end, things are still coded by humans and *all* humans make mistakes.

That being said, it sounds like a different vulnerability, assuming it is confirmed as such.

[jmertic]

Can you confirm that this is part of the latest 6.2.3 release? We've had several security vulnerabilities fixed since then.

If not, then send an email to secure@sugarcrm.com with the issue.