SugarCRM's Security Diet - Multiple Vulnerabilities

14 Sep 2017 by Robin Peraglie
SugarCRM Security

SugarCRM is one of the most popular customer relationship management solutions. It is available as a commercial edition and as an open-source community edition and is used by more than 2 million individuals in over 120 countries to manage sensitive customer data 1. Lately its security attracted attention after a researcher reported multiple security issues in the code 2. As a result, a new version of SugarCRM was released.

We wanted to check what our automated code analysis technology RIPS would find after the recent manual audit and how it could contribute to the security. As a result, critical issues were uncovered that could allow attackers to steal customer data or sensitive files from the server.

Read More ...

e107 2.1.2: SQL Injection through Object Injection

23 Dec 2016 by Hendrik Buchwald

e107

The 23rd gift in our advent calendar presents security issues in e107, a content management system that is in development since 2013. Among others, we identified a critical issue that allows any user to update his permissions and to extract sensitive information from the database by exploiting a PHP object injection vulnerability.

Read More ...

Expression Engine 3.4.2: Code Reuse Attack

5 Dec 2016 by Hendrik Buchwald

Expression Engine

Expression Engine is a popular general purpose content management system that is used by thousands of individuals, organizations, and companies around the world. The open-source version has about 250,000 lines of code and is a medium-sized web application. In this post, we will examine a code reuse vulnerability that leads to remote code execution. This vulnerability type allows an attacker to partly control the applications logic and to chain existing code fragements.

Read More ...

Coppermine 1.5.42: Second-Order Command Execution

2 Dec 2016 by Martin Bednorz

Coppermine

The second gift in our advent calendar contains descriptions of vulnerabilities in Coppermine, a very popular picture gallery application written in PHP and in active development since 2003. It consists of ~160,000 lines of code (medium-sized web application) and is downloaded roughly 1,200 times per week.

Read More ...