|
|
Family: CGI abuses --> Category: attack
SugarCRM <= 4.0 beta Remote File Inclusion Vulnerability Vulnerability Scan
Vulnerability Scan Summary
Check if SugarCRM is vulnerable to Directory Traversal and Remote File Inclusion
Detailed Explanation for this Vulnerability Test
Synopsis :
The remote web server contains a PHP script that is prone to
multiple flaws.
Description :
SugarCRM is a Customer Relationship Manager written in PHP.
The version of SugarCRM installed on the remote host
does not properly sanitize user input
in the 'beanFiles[]' parameter in the 'acceptDecline.php'
file. A attacker can use this flaw to display sensitive
information and to include malicious code wich can be used
to execute arbitrary commands.
This vulnerability exists if 'register_globals' is enabled.
See also :
http://retrogod.altervista.org/sugar_suite_40beta.html
http://marc.theaimsgroup.com/?l=bugtraq&m=113397762406598&w=2
Solution :
Upgrade to Sugar Suite version 3.5.1e and/or disable PHP's
'register_globals' setting.
Threat Level:
Medium / CVSS Base Score : 4.9
(AV:L/AC:L/Au:NR/C:P/I:P/A:P/B:N)
Click HERE for more information and discussions on this network vulnerability scan.
|
