OSVDB ID: 25532

Title: Sugar Suite Multiple Script sugarEntry Global Parameter Remote File Inclusion

Info

Disclosure

May 15, 2006

Discovery

Unknown

Dates

Exploit

May 15, 2006

Solution

Unknown

Description

Sugar Suite contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to multiple scripts in the "modules" directory not properly sanitizing user input supplied to the "sugarEntry" gloabl variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

Classification

Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Integrity
Exploit: Exploit Public
OSVDB: Web Related

Solution

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Products

SugarCRM Inc.

Sugar Suite

4.2.0a

References

Exploit Database: 1785
Milw0rm: 1785
Bugtraq ID: 17987
CVE ID: 2006-2460 (see also: NVD)
Secunia Advisory ID: 20072
VUPEN Advisory: ADV-2006-1791
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-05/0287.html
Vendor URL: http://www.sugarcrm.com/crm/

Credit

rgod - rgodautistici.org - http://retrogod.altervista.org

Direct URL: http://osvdb.org/25532