SugarCRM Security Exploits

Seeing as the SugarCRM folks failed to announce this on their own site, I would like to announce the release of SugarCRM 3.5.0b.

This release fixes a serious security flaw, allowing escalated permissions for anybody with an account. Some of the accessible pages allow you to upload your own code and execute it.

Essentially, the exploit is loading certain admin pages (by passing the correct GET args) which failed to check for Administrator level permissions.

I would love to say that I helped fix this issue etc, but when I got in contact with the folks at SugarCRM they were in the process of getting 3.5.0b out the door and when we tested my findings, they had already patched it, so good job!

I urge everybody using SugarCRM to upgrade as soon as possible, but please be aware that this exploit can only be taken advantage of if a user already has an account in your system.

– Davey