------------------------------------------------------- SugarCRM CE <= 6.3.1 "unserialize()" PHP Code Execution ------------------------------------------------------- author...........: Egidio Romano aka EgiX mail.............: n0b0d13s[at]gmail[dot]com software link....: http://www.sugarcrm.com/ [-] Vulnerable code in different locations: include/export_utils.php:377: $searchForm->populateFromArray(unserialize(base64_decode($query))); include/generic/Save2.php:197: $current_query_by_page_array = unserialize(base64_decode($current_query_by_page)); include/MVC/Controller/SugarController.php:593: $_REQUEST = unserialize(base64_decode($temp_req['current_query_by_page'])); include/MVC/View/views/view.list.php:82: $current_query_by_page = unserialize(base64_decode($_REQUEST['current_query_by_page'])); modules/Import/Importer.php:536: $firstrow = unserialize(base64_decode($_REQUEST['firstrow'])); modules/ProjectTask/views/view.list.php:95: $current_query_by_page = unserialize(base64_decode($_REQUEST['current_query_by_page'])); The vulnerability is caused due to all these scripts using "unserialize()" with user controlled input. This can be exploited to e.g. execute arbitrary PHP code via the "__destruct()" method of the "SugarTheme" class, passing an ad-hoc serialized object through the $_REQUEST['current_query_by_page'] input variable. [-] Disclosure timeline: [31/10/2011] - Vulnerability discovered [05/11/2011] - Vendor notified to secure(at)sugarcrm.com [25/11/2011] - Vendor notified to http://www.sugarcrm.com/forums/f22/critical-security-vulnerability-76537/ [07/12/2011] - Vendor fix the issue on his own within 6.4.0 RC1 release [10/01/2012] - CVE number requested [12/01/2012] - Assigned CVE-2012-0694 [06/02/2012] - Issue addressed within 6.4.0 version [23/06/2012] - Public disclosure [-] Proof of concept: http://www.exploit-db.com/exploits/19381/
