| VID |
21899 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The Sugar Suite software is vulnerable to a remote file include vulnerability in the acceptDecline.php script. Sugar Suite is a customer relationship management (CRM) software package written in PHP. Sugar Suite version 3.5.1a and version 4.0 Beta and earlier versions are vulnerable to a remote file include vulnerability, caused by improper validation of user-supplied input passed to the 'beanFiles[1]' parameter of the 'acceptDecline.php' script. If the register_globals is enabled, a remote attacker could send a specially-crafted URL request to execute arbitrary PHP code and operating system commands on the affected host.
* References:
http://retrogod.altervista.org/sugar_suite_40beta.html
http://marc.theaimsgroup.com/?l=bugtraq&m=113397762406598&w=2
http://secunia.com/product/6400/
* Platforms Affected:
SugarCRM Inc, Sugar Suite version 3.5.1a
SugarCRM Inc, Sugar Suite version 4.0 Beta and earlier versions
Any operating system Any version |
| Recommendation |
Upgrade to the latest version of Sugar Suite (3.5.1e or 4.2.0 or later), available from the SugarCRM Download Web site at http://www.sugarcrm.com/crm/download/sugar-suite.html
As a workaround, disable PHP's 'register_globals' setting. |
| Related URL |
CVE-2005-4086,CVE-2005-4087 (CVE) |
| Related URL |
15760 (SecurityFocus) |
| Related URL |
23541 (ISS) |
|
